GHSA-jp5v-5gx4-jmj9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jp5v-5gx4-jmj9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-jp5v-5gx4-jmj9/GHSA-jp5v-5gx4-jmj9.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-jp5v-5gx4-jmj9
- Aliases
- Published
- 2020-05-26T15:11:13Z
- Modified
- 2023-11-01T04:53:43.691679Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- Ability to forge per-form CSRF tokens in Rails
- Details
-
It is possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session.
Impact
Given the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session.
Workarounds
This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.
- Database specific
{ "github_reviewed_at": "2020-05-26T15:10:56Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-352" ], "nvd_published_at": null }- References
Affected packages
RubyGems / actionpack
Package
- Name
- actionpack
- Purl
- pkg:gem/actionpack
Affected versions
5.*
5.0.0
5.0.0.1
5.0.1.rc1
5.0.1.rc2
5.0.1
5.0.2.rc1
5.0.2
5.0.3
5.0.4.rc1
5.0.4
5.0.5.rc1
5.0.5.rc2
5.0.5
5.0.6.rc1
5.0.6
5.0.7
5.0.7.1
5.0.7.2
5.1.0.beta1
5.1.0.rc1
5.1.0.rc2
5.1.0
5.1.1
5.1.2.rc1
5.1.2
5.1.3.rc1
5.1.3.rc2
5.1.3.rc3
5.1.3
5.1.4.rc1
5.1.4
5.1.5.rc1
5.1.5
5.1.6
5.1.6.1
5.1.6.2
5.1.7.rc1
5.1.7
5.2.0.beta1
5.2.0.beta2
5.2.0.rc1
5.2.0.rc2
5.2.0
5.2.1.rc1
5.2.1
5.2.1.1
5.2.2.rc1
5.2.2
5.2.2.1
5.2.3.rc1
5.2.3
5.2.4.rc1
5.2.4
5.2.4.1
5.2.4.2
RubyGems / actionpack
Package
- Name
- actionpack
- Purl
- pkg:gem/actionpack