Impact
A session forgery vulnerability was discovered in Autolab's default docker installation procedure, whereby users can impersonate an administrator by manipulating their session cookie.
Patches
The vulnerability has been patched in v2.11.0. Run make update from your docker installation root directory and follow any instructions provided.
Workarounds
Define secret_key_base via the rails credentials:edit command, which will encrypt the value.
Alternatively, add the SECRET_KEY_BASE environment variable to the .env file and set it to an appropriate key value. For example:
SECRET_KEY_BASE=17c2b02fb7d21e249573a9a6fe3b1a2606653186baf53cd407f1a43f8446bda86095b9f5fa39e6c4538407253aef18e3b0ec38f4d3dedacc98e7a8c238266890
References
For more information
If you have any questions or comments about this advisory:
Impact
A session forgery vulnerability was discovered in Autolab's default docker installation procedure, whereby users can impersonate an administrator by manipulating their session cookie.
Patches
The vulnerability has been patched in v2.11.0. Run
make updatefrom your docker installation root directory and follow any instructions provided.Workarounds
Define
secret_key_basevia therails credentials:editcommand, which will encrypt the value.Alternatively, add the
SECRET_KEY_BASEenvironment variable to the.envfile and set it to an appropriate key value. For example:References
For more information
If you have any questions or comments about this advisory: