VulnerableCode Package Details - pkg:gem/rails@6.1.7.7

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-65tq-e5eb-eucj	Rails has possible Sensitive Session Information Leak in Active Storage # Possible Sensitive Session Information Leak in Active Storage There is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a `Set-Cookie` header along with the user's session cookie when serving blobs. It also sets `Cache-Control` to public. Certain proxies may cache the Set-Cookie, leading to an information leak. This vulnerability has been assigned the CVE identifier CVE-2024-26144. Versions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, > 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7 Impact ------ A proxy which chooses to caches this request can cause users to share sessions. This may include a user receiving an attacker's session or vice versa. This was patched in 7.1.0 but not previously identified as a security vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Upgrade to Rails 7.1.X, or configure caching proxies not to cache the Set-Cookie headers. Credits ------- Thanks to [tyage](https://hackerone.com/tyage) for reporting this!	CVE-2024-26144 GHSA-8h22-8cf7-hq6g

Vulnerability

Summary

Aliases

VCID-65tq-e5eb-eucj

Rails has possible Sensitive Session Information Leak in Active Storage # Possible Sensitive Session Information Leak in Active Storage There is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a `Set-Cookie` header along with the user's session cookie when serving blobs. It also sets `Cache-Control` to public. Certain proxies may cache the Set-Cookie, leading to an information leak. This vulnerability has been assigned the CVE identifier CVE-2024-26144. Versions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, > 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7 Impact ------ A proxy which chooses to caches this request can cause users to share sessions. This may include a user receiving an attacker's session or vice versa. This was patched in 7.1.0 but not previously identified as a security vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Upgrade to Rails 7.1.X, or configure caching proxies not to cache the Set-Cookie headers. Credits ------- Thanks to [tyage](https://hackerone.com/tyage) for reporting this!

CVE-2024-26144
GHSA-8h22-8cf7-hq6g

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-12T00:11:15.950094+00:00	GitLab Importer	Fixing	VCID-65tq-e5eb-eucj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2024-26144.yml	38.3.0
2026-04-03T00:17:16.888583+00:00	GitLab Importer	Fixing	VCID-65tq-e5eb-eucj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2024-26144.yml	38.1.0
2026-04-01T12:52:35.158369+00:00	GitLab Importer	Fixing	VCID-65tq-e5eb-eucj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2024-26144.yml	38.0.0