- <= 1.6.0
- >= 1.8.0
rest-client in abstract_response.rb improperly handles Set-Cookie headers on HTTP 30x redirection responses. Any cookies will be forwarded to the redirection target regardless of domain, path, or expiration.
If you control a redirection source, you can cause rest-client to perform a request to any third-party domain with cookies of your choosing, which may be useful in performing a session fixation attack.
If you control a redirection target, you can steal any cookies set by the third-party redirection request.