Source: ruby-mechanize X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for ruby-mechanize. CVE-2022-31033[0]: | The Mechanize library is used for automating interaction with | websites. Mechanize automatically stores and sends cookies, follows | redirects, and can follow links and submit forms. In versions prior to | 2.8.5 the Authorization header is leaked after a redirect to a | different port on the same site. Users are advised to upgrade to | Mechanize v2.8.5 or later. There are no known workarounds for this | issue. https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9 Prerequisite to clear credential headers when redirecting to cross site https://github.com/sparklemotion/mechanize/commit/17e5381032c90caf240ac3d2e52b353f40c18d83 (v2.8.0) Fixed by: https://github.com/sparklemotion/mechanize/commit/907c778001625cb9daa686d5019c939cb416e45b (v2.8.5) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-31033 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31033 Please adjust the affected versions in the BTS as needed.