Vulnerability Description
A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rubyonrails | Rails | < 5.2.4.3 |
| Debian | Debian Linux | 10.0 |
Related Weaknesses (CWE)
References
- https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgwMailing ListPatchThird Party Advisory
- https://hackerone.com/reports/732415ExploitThird Party Advisory
- https://www.debian.org/security/2020/dsa-4766Third Party Advisory
- https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgwMailing ListPatchThird Party Advisory
- https://hackerone.com/reports/732415ExploitThird Party Advisory
- https://www.debian.org/security/2020/dsa-4766Third Party Advisory
- https://hackerone.com/reports/732415ExploitThird Party Advisory
FAQ
What is CVE-2020-8166?
CVE-2020-8166 is a vulnerability with a CVSS score of 4.3 (MEDIUM). A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, for...
How severe is CVE-2020-8166?
CVE-2020-8166 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-8166?
Check the references section above for vendor advisories and patch information. Affected products include: Rubyonrails Rails, Debian Debian Linux.