Vulnerability Description
The session cookie store implementation in Spree 0.2.0 uses a hardcoded config.action_controller_session hash value (aka secret key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging an application that contains this value within the config/environment.rb file.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Spreecommerce | Spree | 0.2.0 |
Related Weaknesses (CWE)
References
- http://spreecommerce.com/blog/2008/08/12/security-vulernability-session-cookie-sVendor Advisory
- http://support.spreehq.org/issues/show/63
- http://spreecommerce.com/blog/2008/08/12/security-vulernability-session-cookie-sVendor Advisory
- http://support.spreehq.org/issues/show/63
FAQ
What is CVE-2008-7311?
CVE-2008-7311 is a vulnerability with a CVSS score of 5.0 (MEDIUM). The session cookie store implementation in Spree 0.2.0 uses a hardcoded config.action_controller_session hash value (aka secret key), which makes it easier for remote attackers to bypass cryptographic...
How severe is CVE-2008-7311?
CVE-2008-7311 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2008-7311?
Check the references section above for vendor advisories and patch information. Affected products include: Spreecommerce Spree.