Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXc1NDItY3BwOS1yM2c3

Field Test CSRF vulnerability

The Field Test dashboard is vulnerable to cross-site request forgery (CSRF) with non-session based authentication methods in versions v0.2.0 through v0.3.2.

Impact

The Field Test dashboard is vulnerable to CSRF with non-session based authentication methods, like basic authentication. Session-based authentication methods (like Devise's default authentication) are not affected.

A CSRF attack works by getting an authorized user to visit a malicious website and then performing requests on behalf of the user. In this instance, a single endpoint is affected, which allows for changing the variant assigned to a user.

All users running an affected release should upgrade immediately.

Technical Details

Field Test uses the protect_from_forgery method from Rails to prevent CSRF. However, this defaults to :null_session, which has no effect on non-session based authentication methods. This has been changed to protect_from_forgery with: :exception.

Permalink: https://github.com/advisories/GHSA-w542-cpp9-r3g7
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXc1NDItY3BwOS1yM2c3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 4 years ago
Updated: over 1 year ago

CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Identifiers: GHSA-w542-cpp9-r3g7, CVE-2020-16252
References:

• https://nvd.nist.gov/vuln/detail/CVE-2020-16252
• https://github.com/ankane/field_test/issues/28
• https://github.com/ankane/field_test/commit/defd3fdf457c22d7dc5b3be7048481947bd5f0d0
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/field_test/CVE-2020-16252.yml
• https://github.com/advisories/GHSA-w542-cpp9-r3g7

Repository: https://github.com/ankane/field_test
Blast Radius: 9.2

Affected Packages