mailing list archives
Re: CVE request: Juvia secret token handling
From: cve-assign () mitre org
Date: Tue, 17 Dec 2013 19:56:18 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
Juvia is a Ruby on Rails application to host "comments":
A commenting server similar to Disqus and IntenseDebate
It includes a "default" secret to validate cookies in
`app/config/initializers/secret_token.rb', and the install instructions
do not include generating a new secret.
Also the file in question is maintained in git, and configuration
should not touch these files.
This means an attacker could modify session state, which is somehow
trusted by the Rails application.
A workaround for Juvia is to generate a new secret (`rake secret') and
replace the one in
`app/config/initializers/secret_token.rb' (invalidating all cookies,
don't forget to restart Juvia).
You have to be careful when switching between git branches and so on to
not loose the change.
The core problem is that rails generated the file that way; other gems
have similar issues.
The rails security team has been informed about this.
They would be eligible for their own CVE ID if they conclude that this is
a security-relevant implementation error in the file-generation process.
The CVE below is specific to Juvia, for the issue in which a valid
Juvia::Application.config.secret_token value is "shipped" in the product
without an installation step in which the value must be changed.
* Juvia "public" secret:
* Juvia issue for this: https://github.com/phusion/juvia/issues/55
CVE assignment team, MITRE CVE Numbering Authority
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)
-----END PGP SIGNATURE-----