CVE-2022-31033

2022-06-0920:15:08

Debian Security Bug Tracker

security-tracker.debian.org

mechanize

library

authorization

header

redirect

upgrade

security

vulnerability

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

41.2%

JSON

The Mechanize library is used for automating interaction with websites. Mechanize automatically stores and sends cookies, follows redirects, and can follow links and submit forms. In versions prior to 2.8.5 the Authorization header is leaked after a redirect to a different port on the same site. Users are advised to upgrade to Mechanize v2.8.5 or later. There are no known workarounds for this issue.

OSVersionArchitecturePackageVersionFilename
Debian12allruby-mechanize< 2.8.5-1ruby-mechanize_2.8.5-1_all.deb
Debian11allruby-mechanize<= 2.7.7-1ruby-mechanize_2.7.7-1_all.deb
Debian999allruby-mechanize< 2.8.5-1ruby-mechanize_2.8.5-1_all.deb
Debian13allruby-mechanize< 2.8.5-1ruby-mechanize_2.8.5-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	ruby-mechanize	< 2.8.5-1	ruby-mechanize_2.8.5-1_all.deb
Debian	11	all	ruby-mechanize	<= 2.7.7-1	ruby-mechanize_2.7.7-1_all.deb
Debian	999	all	ruby-mechanize	< 2.8.5-1	ruby-mechanize_2.8.5-1_all.deb
Debian	13	all	ruby-mechanize	< 2.8.5-1	ruby-mechanize_2.8.5-1_all.deb