From 8e0bb086339ff6442932ef63d769800dbafed344 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Fri, 15 May 2026 07:23:04 +0200 Subject: [PATCH] Change security fix identifier from GHSA to CVE Updated security fix reference from GHSA to CVE. --- docs/release-notes/17-2-4/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/17-2-4/README.md b/docs/release-notes/17-2-4/README.md index 2761a7f8e5f..0e42132707e 100644 --- a/docs/release-notes/17-2-4/README.md +++ b/docs/release-notes/17-2-4/README.md @@ -20,7 +20,7 @@ release_date: 2026-05-13 -### GHSA-r85r-gjq2-f83r - Docker Container starts with SECRET_KEY_BASE default value +### CVE-2026-46386 - Docker Container starts with SECRET_KEY_BASE default value When an attacker knew the secret key base that the application used to derive internal keys from, they could construct encrypted cookies that on the server side were decoded using [Object Marshalling](https://docs.ruby-lang.org/en/4.0/Marshal.html) which allowed the attacker to execute almost arbitrary ruby code within the container, up to a complete remote code execution. This was especially present in Docker containers that shipped with a default value as the secret key base, when it was not manually overwritten, as mentioned in the documentation.