All versions of Rails below
184.108.40.206, and some versions of Rails 6 till
6.0.3 make it possible for an attacker to, given a global CSRF token such as the one present in the
authenticity_token meta tag, forge a per-form CSRF token.
In cases where no version is specified for Rails inside the Gemfile, bundler tries to automatically figure out the version to be installed, which might end up with a vulnerable version being installed. Pinning the version is strongly recommended. In cases where the specified version is known to be vulnerable, upgrading to newer versions of Rails can help fix this issue.