Vulnerability Description
Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rubyonrails | Rails | 2.1.0 |
Related Weaknesses (CWE)
References
- http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee2
- http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
- http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
- http://secunia.com/advisories/36600Vendor Advisory
- http://secunia.com/advisories/38915
- http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protect
- http://www.openwall.com/lists/oss-security/2009/11/28/1
- http://www.openwall.com/lists/oss-security/2009/12/02/2
- http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.Exploit
- http://www.vupen.com/english/advisories/2009/2544Vendor Advisory
- http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee2
- http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
- http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
- http://secunia.com/advisories/36600Vendor Advisory
- http://secunia.com/advisories/38915
FAQ
What is CVE-2008-7248?
CVE-2008-7248 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protecti...
How severe is CVE-2008-7248?
CVE-2008-7248 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2008-7248?
Check the references section above for vendor advisories and patch information. Affected products include: Rubyonrails Rails.