CVE-2008-7311: Credentials Management Errors

April 5, 2012 (updated April 12, 2012)

The session cookie store implementation in Spree uses a hardcoded config.action_controller_session hash value (aka secret key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging an application that contains this value within the config/environment.rb file.

References

spreecommerce.com/blog/2008/08/12/security-vulernability-session-cookie-store/
support.spreehq.org/issues/show/63
nvd.nist.gov/vuln/detail/CVE-2008-7311

Code Behaviors & Features

Detect and mitigate CVE-2008-7311 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →