Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12OTg4LTgyOHcteHZmMs0WrA
Authentication Bypass Using an Alternate Path or Channel and Authentication Bypass by Primary Weakness in rucio-webui
Impact
rucio-webui installations of the 1.26 release line potentially leak the contents of cookies to other sessions within a wsgi container. Impact is that Rucio authentication tokens are leaked to other users accessing the webui within a close timeframe, thus allowing users to access the webui with the leaked authentication token. Privileges are therefore also escalated.
Rucio server / daemons are not affected by this issue, it is isolated to the webui.
Patches
This issue is fixed in the 1.26.7 release of the rucio-webui.
Workarounds
Installation of the 1.25.7 webui release. The 1.25 and previous webui release lines are not affected by this issue.
References
https://github.com/rucio/rucio/issues/4928
Permalink: https://github.com/advisories/GHSA-v988-828w-xvf2JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12OTg4LTgyOHcteHZmMs0WrA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
Identifiers: GHSA-v988-828w-xvf2
References:
- https://github.com/rucio/rucio/security/advisories/GHSA-v988-828w-xvf2
- https://github.com/rucio/rucio/issues/4810
- https://github.com/rucio/rucio/issues/4928
- https://github.com/rucio/rucio/releases/tag/1.26.7
- https://github.com/rucio/rucio/commit/8f832404ae88d6300e17d7e706b40fe58e0df90c
- https://github.com/advisories/GHSA-v988-828w-xvf2
Blast Radius: 0.0
Affected Packages
pypi:rucio-webui
Dependent packages: 0Dependent repositories: 2
Downloads: 122 last month
Affected Version Ranges: >= 1.26.0, < 1.26.7
Fixed in: 1.26.7
All affected versions: 1.26.0, 1.26.1, 1.26.2, 1.26.4, 1.26.5, 1.26.6
All unaffected versions: 1.5.10, 1.5.11, 1.5.12, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.7, 1.6.8, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.10.0, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.13.0, 1.13.1, 1.13.2, 1.14.2, 1.14.6, 1.14.7, 1.14.8, 1.14.9, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.15.4, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.17.0, 1.17.1, 1.17.2, 1.17.5, 1.17.6, 1.17.7, 1.17.8, 1.18.0, 1.18.1, 1.18.3, 1.18.4, 1.18.5, 1.18.6, 1.18.7, 1.18.8, 1.18.9, 1.19.1, 1.19.2, 1.19.3, 1.19.4, 1.19.5, 1.19.6, 1.19.7, 1.19.8, 1.20.0, 1.20.1, 1.20.2, 1.20.3, 1.20.4, 1.20.5, 1.20.6, 1.20.7, 1.20.8, 1.20.9, 1.20.10, 1.20.11, 1.20.13, 1.20.14, 1.20.15, 1.20.16, 1.21.0, 1.21.1, 1.21.2, 1.21.3, 1.21.4, 1.21.5, 1.21.6, 1.21.7, 1.21.8, 1.21.10, 1.21.12, 1.22.0, 1.22.1, 1.22.2, 1.22.3, 1.22.4, 1.22.6, 1.22.7, 1.22.8, 1.23.0, 1.23.1, 1.23.2, 1.23.4, 1.23.5, 1.23.6, 1.23.7, 1.23.8, 1.23.9, 1.23.10, 1.23.11, 1.23.12, 1.23.13, 1.23.14, 1.23.15, 1.23.17, 1.23.18, 1.23.19, 1.23.20, 1.24.0, 1.24.1, 1.24.2, 1.24.3, 1.24.4, 1.24.5, 1.25.0, 1.25.1, 1.25.2, 1.25.3, 1.25.4, 1.25.5, 1.25.6, 1.25.7, 1.26.7, 1.26.8, 1.26.9, 1.26.10, 1.26.11, 1.26.12, 1.26.13, 1.26.14, 1.26.15, 1.26.16, 1.26.17, 1.26.18, 1.27.0, 1.27.1, 1.27.2, 1.27.3, 1.27.4, 1.27.5, 1.27.7, 1.27.9, 1.27.10, 1.27.11, 1.27.12, 1.28.0, 1.28.1, 1.28.2, 1.28.3, 1.28.4, 1.28.5, 1.28.6, 1.28.7, 1.29.0, 1.29.1, 1.29.2, 1.29.3, 1.29.4, 1.29.5, 1.29.6, 1.29.7, 1.29.8, 1.29.9, 1.29.10, 1.29.11, 1.29.12, 1.29.13, 1.29.14, 1.29.15, 1.29.16, 1.29.17, 1.30.0, 1.30.1, 1.30.2, 1.30.3, 1.30.4, 1.30.5, 1.30.6, 1.30.7, 1.30.8, 1.31.0, 1.31.1, 1.31.2, 1.31.3, 1.31.4, 1.31.5, 1.31.6, 1.31.7, 32.0.0, 32.1.0, 32.2.0, 32.3.0, 32.3.1, 32.4.0, 32.5.0, 32.5.1, 32.6.0, 32.7.0, 32.8.0, 32.8.1, 33.0.0, 33.1.0, 33.2.0, 33.2.1, 33.3.0, 33.4.0, 33.5.0, 33.6.0, 33.6.1, 34.0.0, 34.1.0, 34.2.0