Description

Many Ruby-based web frameworks(old versions of Rails, ones which use Rack::Session::Cookie) have a secret key to sign session cookies for protection against cookie data tampering. It's very important that an attacker doesn't know the value of this secret key. Your application is using a weak/known secret key and Acunetix managed to guess this key.

Remediation

Change the value of secret key to a long random string.

References

Rails

Hanami

Sinatra

Related Vulnerabilities

Django weak secret key

Docker Registry API is accessible without authentication

SSL Certificate Is About To Expire

ASP.NET potential HTTP Verb Tampering

SharePoint exposed web services

Severity

High

Classification

CWE-693 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Configuration Weak Credentials Default Credentials