Spree Hardcoded config.action_controller_session Hash Value Cryptographic Protection Weakness
Published: August 12, 2008
SECURITY IDENTIFIERS
- CVE: CVE-2008-7311 (NVD)
- GHSA: GHSA-g466-57gh-cqfw
- OSVDB: OSVDB-81506
- Vendor Advisory: https://spreecommerce.com/blog/security-vulernability-session-cookie-store
GEM
SEVERITY
CVSS v2.0: 5.0 (Medium)
PATCHED VERSIONS
>= 0.3.0
DESCRIPTION
Spree contains a hardcoded flaw related to the config.action_controller_session hash value. This may allow an attacker to more easily bypass cryptographic protection.