---
gem: actionpack
framework: rails
cve: 2020-8166
date: 2020-05-18
url: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
title: Ability to forge per-form CSRF tokens given a global CSRF token
description: |
  It is possible to possible to, given a global CSRF token such as the one
  present in the authenticity_token meta tag, forge a per-form CSRF token for
  any action for that session.

  Versions Affected:  rails < 5.2.5, rails < 6.0.4
  Not affected:       Applications without existing HTML injection vulnerabilities.
  Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1

  Impact
  ------

  Given the ability to extract the global CSRF token, an attacker would be able to
  construct a per-form CSRF token for that session.

  Workarounds
  -----------

  This is a low-severity security issue. As such, no workaround is necessarily
  until such time as the application can be upgraded.

patched_versions:
  - "~> 5.2.4.3"
  - ">= 6.0.3.1"