GHSA-gm98-g2wf-7c68: amphp/artax Cookie leakage to wrong origins and non-restricted cookie acceptance
In artax version before 1.0.6 and 2 before 2.0.6, cookies of foo.bar.example.com were leaked to foo.bar. Additionally, any site could set cookies for any other site.
Artax fixed this issue by following newer browser implementations now. Cookies can only be set on domains higher or equal to the current domain, but not on any public suffixes.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/amphp/artax/2017-05-09.yaml
- github.com/advisories/GHSA-gm98-g2wf-7c68
- github.com/amphp/artax
- github.com/amphp/artax/commit/25668b891d2bced567bd69611c7d18b6a93d5fc4
- github.com/amphp/artax/commit/accdadaf78f7a43305c3a97d6a964bbc550a555d
- github.com/amphp/artax/releases/tag/v2.0.6
Code Behaviors & Features
Detect and mitigate GHSA-gm98-g2wf-7c68 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →