CVE-2008-7248

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2008-7248
Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.

6.8 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en
http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
http://secunia.com/advisories/36600 Vendor Advisory
http://secunia.com/advisories/38915
http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1
http://www.openwall.com/lists/oss-security/2009/11/28/1
http://www.openwall.com/lists/oss-security/2009/12/02/2
http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html Exploit
http://www.vupen.com/english/advisories/2009/2544 Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*
History

13 Feb 2023, 02:19

Type Values Removed Values Added
References
  • {'url': 'https://bugzilla.redhat.com/show_bug.cgi?id=544329', 'name': 'https://bugzilla.redhat.com/show_bug.cgi?id=544329', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/security/cve/CVE-2008-7248', 'name': 'https://access.redhat.com/security/cve/CVE-2008-7248', 'tags': [], 'refsource': 'MISC'}
Summary CVE-2008-7248 rubygem-actionpack: Potential CSRF protection circumvention Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.

02 Feb 2023, 15:15

Type Values Removed Values Added
References
  • (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=544329 -
  • (MISC) https://access.redhat.com/security/cve/CVE-2008-7248 -
Summary Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain. CVE-2008-7248 rubygem-actionpack: Potential CSRF protection circumvention
Information

Published : 2009-12-16 01:30

Updated : 2023-12-10 10:51

NVD link : CVE-2008-7248

Mitre link : CVE-2008-7248

CVE.ORG link : CVE-2008-7248

JSON object : View

Products Affected

rubyonrails

  • rails
CWE
CWE-20

Improper Input Validation