Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThmcXgtN3B2NC0zandt
Improper Input Validation in actionpack
Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.
Permalink: https://github.com/advisories/GHSA-8fqx-7pv4-3jwmJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThmcXgtN3B2NC0zandt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 6 years ago
Updated: 11 months ago
Identifiers: GHSA-8fqx-7pv4-3jwm, CVE-2008-7248
References:
- https://nvd.nist.gov/vuln/detail/CVE-2008-7248
- https://access.redhat.com/security/cve/CVE-2008-7248
- https://bugzilla.redhat.com/show_bug.cgi?id=544329
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en
- https://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
- https://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
- https://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1
- https://www.openwall.com/lists/oss-security/2009/11/28/1
- https://www.openwall.com/lists/oss-security/2009/12/02/2
- https://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2008-7248.yml
- http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en
- http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
- http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
- http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1
- http://www.openwall.com/lists/oss-security/2009/11/28/1
- http://www.openwall.com/lists/oss-security/2009/12/02/2
- https://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a
- https://web.archive.org/web/20090906010200/https://www.vupen.com/english/advisories/2009/2544
- https://github.com/advisories/GHSA-8fqx-7pv4-3jwm
Blast Radius: 0.0
Affected Packages
rubygems:actionpack
Dependent packages: 1,669Dependent repositories: 876,080
Downloads: 531,968,200 total
Affected Version Ranges: >= 2.2.0, < 2.2.2, >= 2.1.0, < 2.1.3
Fixed in: 2.2.2, 2.1.3
All affected versions: 2.1.0, 2.1.1, 2.1.2
All unaffected versions: 0.9.0, 0.9.5, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.9.1, 1.10.1, 1.10.2, 1.11.0, 1.11.1, 1.11.2, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 2.0.0, 2.0.1, 2.0.2, 2.0.4, 2.0.5, 2.2.2, 2.2.3, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.3.11, 2.3.12, 2.3.14, 2.3.15, 2.3.16, 2.3.17, 2.3.18, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.0.17, 3.0.18, 3.0.19, 3.0.20, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.2.12, 3.2.13, 3.2.14, 3.2.15, 3.2.16, 3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.1.10, 4.1.11, 4.1.12, 4.1.13, 4.1.14, 4.1.15, 4.1.16, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.1, 7.1.2, 7.1.3