4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
actionpack is vulnerable to cross-site request forgery (CSRF). In the event that the global CSRF token, such as the meta tag in the authenticity_token, is obtained, an attacker is able to forge per-form CSRF tokens for any action in a session, allowing for CSRF attacks.
CPE | Name | Operator | Version |
---|---|---|---|
actionpack | le | 5.2.4.2 | |
actionpack | le | 6.0.3 | |
rails:buster | eq | 2:5.2.2.1+dfsg-1+deb10u1 |
github.com/rails/rails/commit/29aa538ac26a984389fa78aaaf292e2b4ca1a544
github.com/rails/rails/commit/d124f19287f4892c72ca54da728a781591c6fca1
groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw
hackerone.com/reports/732415
weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released/
www.debian.org/security/2020/dsa-4766
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N