Rack Session Cookie Decryption Failure Vulnerability Allowing Session Data Manipulation

A vulnerability exists in Rack::Session::Cookie versions 2.0.0 prior to 2.1.2, related to how decryption failures are handled when the 'secrets' configuration is used. Instead of rejecting cookies that cannot be decrypted, the implementation falls back to a default decoder, accepting unencrypted cookies as valid session data. This flaw enables an unauthenticated attacker to craft a session cookie that is recognized as legitimate, bypassing the need for knowledge of the configured secret. As this mechanism is used to load session state, it could allow an attacker to alter session contents and potentially gain unauthorized access.

Impact

Exploitation of this vulnerability could lead to authentication bypass or privilege escalation, particularly in applications that use session values for identity or authorization decisions. Additionally, depending on the application's behavior and runtime components, processing untrusted session data could introduce further risks.

Remediation

Users are advised to update to Rack::Session version 2.1.2 or later, which addresses the vulnerability by rejecting cookies when decryption fails under the 'secrets' configuration. After updating, it is recommended to rotate session secrets to invalidate existing session cookies, as attacker-supplied session data may have been accepted and re-issued prior to the fix.