MEDIUM 4.3

GHSA-jp5v-5gx4-jmj9

Ability to forge per-form CSRF tokens in Rails

Details

It is possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session.

Impact ------

Given the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session.

Workarounds -----------

This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.

Are you affected?

Enter the version of the package you're using.

Affected packages

RubyGems / actionpack

Introduced in: 5.0.0 Fixed in: 5.2.4.3

Fix bundle update actionpack

RubyGems / actionpack

Introduced in: 6.0.0 Fixed in: 6.0.3.1

Fix bundle update actionpack

References

https://nvd.nist.gov/vuln/detail/CVE-2020-8166 [ADVISORY]
https://hackerone.com/reports/732415 [WEB]
https://github.com/rails/rails [PACKAGE]
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8166.yml [WEB]
https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw [WEB]
https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw [WEB]
https://www.debian.org/security/2020/dsa-4766 [WEB]