Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nbTk4LWcyd2YtN2M2OM4AA8GK
amphp/artax Cookie leakage to wrong origins and non-restricted cookie acceptance
In artax version before 1.0.6 and 2 before 2.0.6, cookies of foo.bar.example.com were leaked to foo.bar. Additionally, any site could set cookies for any other site.
Artax fixed this issue by following newer browser implementations now. Cookies can only be set on domains higher or equal to the current domain, but not on any public suffixes.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nbTk4LWcyd2YtN2M2OM4AA8GK
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 months ago
Updated: 7 months ago
Identifiers: GHSA-gm98-g2wf-7c68
References:
- https://github.com/amphp/artax/commit/25668b891d2bced567bd69611c7d18b6a93d5fc4
- https://github.com/amphp/artax/commit/accdadaf78f7a43305c3a97d6a964bbc550a555d
- https://github.com/FriendsOfPHP/security-advisories/blob/master/amphp/artax/2017-05-09.yaml
- https://github.com/amphp/artax/releases/tag/v2.0.6
- https://github.com/advisories/GHSA-gm98-g2wf-7c68
Blast Radius: 0.0
Affected Packages
packagist:amphp/artax
Dependent packages: 94Dependent repositories: 91
Downloads: 804,932 total
Affected Version Ranges: < 1.0.6, >= 2, < 2.0.6
Fixed in: 1.0.6, 2.0.6
All affected versions: 0.1.0, 0.3.7, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5
All unaffected versions: 1.0.6, 2.0.6, 2.0.7, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14