GHSA-p4xx-w6fr-c4w9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-p4xx-w6fr-c4w9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-p4xx-w6fr-c4w9/GHSA-p4xx-w6fr-c4w9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-p4xx-w6fr-c4w9
- Aliases
- Published
- 2023-02-02T06:30:26Z
- Modified
- 2023-11-08T04:11:49.909481Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- Clockwork Web contains a Cross-Site Request Forgery Vulnerability with Rails < 5.2
- Details
-
Clockwork Web before 0.1.2, when used with Rails before 5.2 is used, allows Cross-Site Request Forgery (CSRF). A CSRF attack works by getting an authorized user to visit a malicious website and then performing requests on behalf of the user. In this instance, actions include enabling and disabling jobs. All users running an affected release on Rails < 5.2 should upgrade immediately.
- Database specific
{ "nvd_published_at": "2023-02-02T04:15:00Z", "github_reviewed_at": "2023-02-02T23:07:04Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-352" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2023-25015
- https://github.com/ankane/clockwork_web/issues/4
- https://github.com/ankane/clockwork_web/commit/ec2896503ee231588547c2fad4cb93a94e78f857
- https://github.com/ankane/clockwork_web
- https://github.com/ankane/clockwork_web/compare/v0.1.1...v0.1.2
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/clockwork_web/CVE-2023-25015.yml
Affected packages
RubyGems / clockwork_web
Package
- Name
- clockwork_web
- Purl
- pkg:gem/clockwork_web