MEDIUM
GHSA-8fqx-7pv4-3jwm
Improper Input Validation in actionpack
Details
Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://nvd.nist.gov/vuln/detail/CVE-2008-7248 [ADVISORY]
- https://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a [WEB]
- https://access.redhat.com/security/cve/CVE-2008-7248 [WEB]
- https://bugzilla.redhat.com/show_bug.cgi?id=544329 [WEB]
- https://github.com/rails/rails [PACKAGE]
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2008-7248.yml [WEB]
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en [WEB]
- https://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html [WEB]
- https://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup [WEB]
- https://web.archive.org/web/20090906010200/https://www.vupen.com/english/advisories/2009/2544 [WEB]
- https://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1 [WEB]
- https://www.openwall.com/lists/oss-security/2009/11/28/1 [WEB]
- https://www.openwall.com/lists/oss-security/2009/12/02/2 [WEB]
- https://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html [WEB]
- http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en [WEB]
- http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html [WEB]
- http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup [WEB]
- http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1 [WEB]
- http://www.openwall.com/lists/oss-security/2009/11/28/1 [WEB]
- http://www.openwall.com/lists/oss-security/2009/12/02/2 [WEB]