Sha256: 09322477c71f15ab6ddf9d70468c150548bc3a6cec098e194ff224d00a4a746a
Contents?: true
Size: 981 Bytes
Versions: 1
Compression:
Stored size: 981 Bytes
Contents
--- gem: actionpack framework: rails cve: 2020-8166 date: 2020-05-18 url: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw title: Ability to forge per-form CSRF tokens given a global CSRF token description: | It is possible to possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session. Versions Affected: rails < 5.2.5, rails < 6.0.4 Not affected: Applications without existing HTML injection vulnerabilities. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ Given the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session. Workarounds ----------- This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded. patched_versions: - "~> 5.2.4.3" - ">= 6.0.3.1"
Version data entries
1 entries across 1 versions & 1 rubygems
| Version | Path |
|---|---|
| bundler-audit-0.7.0.1 | data/ruby-advisory-db/gems/actionpack/CVE-2020-8166.yml |