Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wNHh4LXc2ZnItYzR3Oc4AAxVr
Clockwork Web contains a Cross-Site Request Forgery Vulnerability with Rails < 5.2
Clockwork Web before 0.1.2, when used with Rails before 5.2 is used, allows Cross-Site Request Forgery (CSRF). A CSRF attack works by getting an authorized user to visit a malicious website and then performing requests on behalf of the user. In this instance, actions include enabling and disabling jobs. All users running an affected release on Rails < 5.2 should upgrade immediately.
Permalink: https://github.com/advisories/GHSA-p4xx-w6fr-c4w9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wNHh4LXc2ZnItYzR3Oc4AAxVr
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Identifiers: GHSA-p4xx-w6fr-c4w9, CVE-2023-25015
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-25015
- https://github.com/ankane/clockwork_web/issues/4
- https://github.com/ankane/clockwork_web/commit/ec2896503ee231588547c2fad4cb93a94e78f857
- https://github.com/ankane/clockwork_web/compare/v0.1.1...v0.1.2
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/clockwork_web/CVE-2023-25015.yml
- https://github.com/advisories/GHSA-p4xx-w6fr-c4w9
Blast Radius: 0.0
Affected Packages
rubygems:clockwork_web
Dependent packages: 0Dependent repositories: 1
Downloads: 126,725 total
Affected Version Ranges: < 0.1.2
Fixed in: 0.1.2
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.1.0, 0.1.1
All unaffected versions: 0.1.2, 0.2.0