CVE-2020-8166

A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.

References

Affected packages

Git / github.com/rails/rails

Affected ranges

Type

GIT

Repo

https://github.com/rails/rails

Events

Introduced

Fixed

7b5cc5a5dfcf38522be0a4b5daa97c5b2ba26c20

Introduced

66cabeda2c46c582d19738e1318be8d59584cc5b

Fixed

34991a6ae2fc68347c01ea7382fa89004159e019

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.2.4.3"
        },
        {
            "introduced": "6.0.0"
        },
        {
            "fixed": "6.0.3.1"
        }
    ]
}

Affected versions

v0.*

v0.10.0

v0.10.1

v0.11.0

v0.11.1

v0.12.0

v0.13.0

v0.13.1

v0.14.1

v0.14.3

v0.9.1

v0.9.2

v0.9.3

v0.9.4

v0.9.4.1

v0.9.5

v1.*

v1.1.0

v1.1.0_RC1

v1.1.1

v2.*

v2.0.0

v2.0.0_PR

v2.0.0_RC1

v2.0.0_RC2

v2.0.1

v3.*

v3.0.0.beta.3

v3.0.0.beta3

v3.1.0.beta1

v3.1.0.rc1

v3.2.0.rc1

v4.*

v4.0.0.beta1

v4.0.0.rc1

v4.2.0.beta1

v5.*

v5.0.0.beta1

v5.0.0.beta2

v5.0.0.beta4

v5.1.0.beta1

v5.2.0.rc1

v5.2.1.rc1

v5.2.4

v5.2.4.1

v5.2.4.2

v5.2.4.rc1

v6.*

v6.0.0

v6.0.3

v6.0.3.rc1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-8166.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "10.0"
            }
        ]
    }
]