GHSA-w542-cpp9-r3g7

Source

https://github.com/advisories/GHSA-w542-cpp9-r3g7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-w542-cpp9-r3g7/GHSA-w542-cpp9-r3g7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-w542-cpp9-r3g7

Aliases

CVE-2020-16252

Published

2020-08-05T14:53:34Z

Modified

2024-02-16T08:19:37.390564Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Field Test CSRF vulnerability

Details

The Field Test dashboard is vulnerable to cross-site request forgery (CSRF) with non-session based authentication methods in versions v0.2.0 through v0.3.2.

Impact

The Field Test dashboard is vulnerable to CSRF with non-session based authentication methods, like basic authentication. Session-based authentication methods (like Devise's default authentication) are not affected.

A CSRF attack works by getting an authorized user to visit a malicious website and then performing requests on behalf of the user. In this instance, a single endpoint is affected, which allows for changing the variant assigned to a user.

All users running an affected release should upgrade immediately.

Technical Details

Field Test uses the protect_from_forgery method from Rails to prevent CSRF. However, this defaults to :null_session, which has no effect on non-session based authentication methods. This has been changed to protect_from_forgery with: :exception.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-352"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-05T14:47:06Z"
}

References

Affected packages

RubyGems / field_test

Package

Name: field_test
Purl: pkg:gem/field_test

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.2.0

Fixed

0.4.0

Affected versions

0.*

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.3.0

0.3.1

0.3.2

Database specific

{
    "last_known_affected_version_range": "<= 0.3.2"
}