Moderate severityNVD Advisory· Published Nov 21, 2007· Updated Apr 23, 2026
CVE-2007-6077
CVE-2007-6077
Description
The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
railsRubyGems | < 1.2.6 | 1.2.6 |
Affected products
1- cpe:2.3:a:rubyonrails:rails:1.2.4:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
15- dev.rubyonrails.org/ticket/10048nvdPatchWEB
- secunia.com/advisories/27781nvdVendor AdvisoryWEB
- secunia.com/advisories/28136nvdVendor AdvisoryWEB
- www.vupen.com/english/advisories/2007/4009nvdVendor AdvisoryWEB
- www.vupen.com/english/advisories/2007/4238nvdVendor AdvisoryWEB
- github.com/advisories/GHSA-p4c6-77gc-694xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2007-6077ghsaADVISORY
- dev.rubyonrails.org/changeset/8177nvdWEB
- docs.info.apple.com/article.htmlnvdWEB
- lists.apple.com/archives/security-announce/2007/Dec/msg00002.htmlnvdWEB
- weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-releasenvdWEB
- www.securityfocus.com/bid/26598nvdWEB
- www.us-cert.gov/cas/techalerts/TA07-352A.htmlnvdUS Government ResourceWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-6077.ymlghsaWEB
- rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-releaseghsaWEB
News mentions
0No linked articles in our index yet.