CSRF Vulnerability in Rails ujs Module Affecting Rails Framework
CVE-2020-8167

6.5MEDIUM

Key Information:

Vendor

Rubyonrails

Status
Http://github.com/rails/rails
Vendor
CVE Published:
19 June 2020

What is CVE-2020-8167?

A CSRF vulnerability in the Rails framework's rails-ujs module affects versions prior to 6.0.3. This flaw allows attackers to send CSRF tokens to unauthorized domains, enabling potential cross-site request forgery attacks. It poses a significant risk for web applications relying on Rails, as it could compromise user data and application integrity if exploited effectively.

Affected Version(s)

http://github.com/rails/rails Fixed in 5.2.4.3, 6.0.3.1

References

https://hackerone.com/reports/189878
x_refsource_MISC
https://groups.google.com/g/rubyonrails-security/c/x9DixQ...
x_refsource_MISC
https://www.debian.org/security/2020/dsa-4766
vendor-advisoryx_refsource_DEBIAN

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.