=====================================================================

                               CERT-Renater

                   Note d'Information No. 2021/VULN609
_____________________________________________________________________

DATE                : 16/11/2021

HARDWARE PLATFOR, M(S): /

OPERATING SYSTEM(S): Systems running CVE-2021-43616 versions prior to
                                            4.0.0.

=====================================================================
https://github.com/discourse/rails_multisite/security/advisories/GHSA-844m-cpr9-jcmh
_____________________________________________________________________

Secure/signed cookies share secrets between sites in a multi-site
application

moderate    jomaxro published GHSA-844m-cpr9-jcmh

Package
 rails_multisite (RubyGems)

Affected versions
< 4.0.0

Patched versions
>= 4.0.0


Description

Impact

This vulnerability impacts any Rails applications using rails_multisite
alongside Rails' signed/encrypted cookies. Depending on how the
application makes use of these cookies, it may be possible for an
attacker to re-use cookies on different 'sites' within a multi-site
Rails application.


Patches
The issue has been patched in v4 of the rails_multisite gem. Note that
this upgrade will invalidate all previous signed/encrypted cookies. The
impact of this invalidation will vary based on the application
architecture.


CVE ID
CVE-2021-41263

CVSS Score
6.2 Moderate
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:H


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================