Ruby

Ruby

By DeepSource

Rails version with CSRF token forgery vulnerability detected RB-A1001

Security

All versions of Rails below 5.2.4.2, and some versions of Rails 6 till 6.0.3 make it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.

In cases where no version is specified for Rails inside the Gemfile, bundler tries to automatically figure out the version to be installed, which might end up with a vulnerable version being installed. Pinning the version is strongly recommended. In cases where the specified version is known to be vulnerable, upgrading to newer versions of Rails can help fix this issue.

References

  1. CVE-2020-8166 - Rails Security Group
  2. CVE-2020-8166 - GitHub Advisory Database
  3. OWASP Top 10 - A9 - Using Components With Known Vulnerabilities