ADVISORIES
GEM
SEVERITY
CVSS v3.x: 5.9 (Medium)
PATCHED VERSIONS
- >= 2.8.5
DESCRIPTION
Summary
Mechanize (rubygem) < v2.8.5
leaks the Authorization
header after a
redirect to a different port on the same site.
Mitigation
Upgrade to Mechanize v2.8.5 or later.
Notes
See https://curl.se/docs/CVE-2022-27776.html for a similar vulnerability in curl.
Cookies are shared with a server at a different port on the same site, per https://datatracker.ietf.org/doc/html/rfc6265#section-8.5 which states in part:
> Cookies do not provide isolation by port. If a cookie is readable > by a service running on one port, the cookie is also readable by a > service running on another port of the same server. If a cookie is > writable by a service on one port, the cookie is also writable by a > service running on another port of the same server. For this > reason, servers SHOULD NOT both run mutually distrusting services on > different ports of the same host and use cookies to store security- > sensitive information.