[CVE-2020-8167] CSRF Vulnerability in rails-ujs

2,640 views
Skip to first unread message

Aaron Patterson

unread,
May 18, 2020, 11:58:47 AM5/18/20
to ruby-sec...@googlegroups.com, rubyonrail...@googlegroups.com
CSRF Vulnerability in rails-ujs

There is an vulnerability in rails-ujs that allows attackers to send
CSRF tokens to wrong domains.
This vulnerability has been assigned the CVE identifier CVE-2020-8167.

Versions Affected: rails <= 6.0.3
Not affected: Applications which don't use rails-ujs.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact
------

This is a regression of CVE-2015-1840.

In the scenario where an attacker might be able to control the href attribute of an anchor tag or
the action attribute of a form tag that will trigger a POST action, the attacker can set the
href or action to a cross-origin URL, and the CSRF token will be sent.

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------

To work around this problem, change code that allows users to control the href attribute of an anchor
tag or the action attribute of a form tag to filter the user parameters.

For example, code like this:

link_to params

to code like this:

link_to filtered_params

def filtered_params
# Filter just the parameters that you trust
end

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the
supported release series. They are in git-am format and consist of a single changeset.

* 5-2-rails-ujs.patch - Patch for 5.2 series
* 6-0-rails-ujs.patch - Patch for 6.0 series


Credits
-------

Thanks to Ben Toews of GitHub for reporting the vulnerability to us.
5-2-rails-ujs.patch
6-0-rails-ujs.patch
Reply all
Reply to author
Forward
0 new messages