GHSA-jp5v-5gx4-jmj9

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-jp5v-5gx4-jmj9/GHSA-jp5v-5gx4-jmj9.json
Aliases
  • CVE-2020-8166
Published
2020-05-26T15:11:13Z
Modified
2022-06-10T02:19:50.087603Z
Details

It is possible to possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session.

Impact

Given the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session.

Workarounds

This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.

References

Affected packages

RubyGems / actionpack

actionpack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.2.4.3

Affected versions

5.*

5.0.0
5.0.0.1
5.0.1
5.0.1.rc1
5.0.1.rc2
5.0.2
5.0.2.rc1
5.0.3
5.0.4
5.0.4.rc1
5.0.5
5.0.5.rc1
5.0.5.rc2
5.0.6
5.0.6.rc1
5.0.7
5.0.7.1
5.0.7.2
5.1.0
5.1.0.beta1
5.1.0.rc1
5.1.0.rc2
5.1.1
5.1.2
5.1.2.rc1
5.1.3
5.1.3.rc1
5.1.3.rc2
5.1.3.rc3
5.1.4
5.1.4.rc1
5.1.5
5.1.5.rc1
5.1.6
5.1.6.1
5.1.6.2
5.1.7
5.1.7.rc1
5.2.0
5.2.0.beta1
5.2.0.beta2
5.2.0.rc1
5.2.0.rc2
5.2.1
5.2.1.1
5.2.1.rc1
5.2.2
5.2.2.1
5.2.2.rc1
5.2.3
5.2.3.rc1
5.2.4
5.2.4.1
5.2.4.2
5.2.4.rc1

Database specific

{
    "last_known_affected_version_range": "<= 5.2.4.2"
}

RubyGems / actionpack

actionpack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.3.1

Affected versions

6.*

6.0.0
6.0.1
6.0.1.rc1
6.0.2
6.0.2.1
6.0.2.2
6.0.2.rc1
6.0.2.rc2
6.0.3
6.0.3.rc1

Database specific

{
    "last_known_affected_version_range": "<= 6.0.3"
}