[CVE-2020-8167] CSRF Vulnerability in rails-ujs
2,642 views
Skip to first unread message
Aaron Patterson
May 18, 2020, 11:58:47 AM5/18/20
to ruby-sec...@googlegroups.com, rubyonrail...@googlegroups.com
CSRF Vulnerability in rails-ujs
There is an vulnerability in rails-ujs that allows attackers to send
CSRF tokens to wrong domains.
This vulnerability has been assigned the CVE identifier CVE-2020-8167.
Versions Affected: rails <= 6.0.3
Not affected: Applications which don't use rails-ujs.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1
Impact
------
This is a regression of CVE-2015-1840.
In the scenario where an attacker might be able to control the href attribute of an anchor tag or
the action attribute of a form tag that will trigger a POST action, the attacker can set the
href or action to a cross-origin URL, and the CSRF token will be sent.
Releases
--------
The FIXED releases are available at the normal locations.
Workarounds
-----------
To work around this problem, change code that allows users to control the href attribute of an anchor
tag or the action attribute of a form tag to filter the user parameters.
For example, code like this:
link_to params
to code like this:
link_to filtered_params
def filtered_params
# Filter just the parameters that you trust
end
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the
supported release series. They are in git-am format and consist of a single changeset.
* 5-2-rails-ujs.patch - Patch for 5.2 series
* 6-0-rails-ujs.patch - Patch for 6.0 series
Credits
-------
Thanks to Ben Toews of GitHub for reporting the vulnerability to us.
There is an vulnerability in rails-ujs that allows attackers to send
CSRF tokens to wrong domains.
This vulnerability has been assigned the CVE identifier CVE-2020-8167.
Versions Affected: rails <= 6.0.3
Not affected: Applications which don't use rails-ujs.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1
Impact
------
This is a regression of CVE-2015-1840.
In the scenario where an attacker might be able to control the href attribute of an anchor tag or
the action attribute of a form tag that will trigger a POST action, the attacker can set the
href or action to a cross-origin URL, and the CSRF token will be sent.
Releases
--------
The FIXED releases are available at the normal locations.
Workarounds
-----------
To work around this problem, change code that allows users to control the href attribute of an anchor
tag or the action attribute of a form tag to filter the user parameters.
For example, code like this:
link_to params
to code like this:
link_to filtered_params
def filtered_params
# Filter just the parameters that you trust
end
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the
supported release series. They are in git-am format and consist of a single changeset.
* 5-2-rails-ujs.patch - Patch for 5.2 series
* 6-0-rails-ujs.patch - Patch for 6.0 series
Credits
-------
Thanks to Ben Toews of GitHub for reporting the vulnerability to us.
Reply all
Reply to author
Forward
0 new messages