CVE-2016-10522 (rails_admin): CSRF vulnerability in rails_admin

CSRF vulnerability in rails_admin

Published: December 21, 2016

SECURITY IDENTIFIERS

CVE: CVE-2016-10522 (NVD)
GHSA: GHSA-pxqr-8v54-m2hj
Vendor Advisory: https://www.sourceclear.com/blog/Rails_admin-Vulnerability-Disclosure/

GEM

rails_admin

SEVERITY

CVSS v3.x: 8.8 (High)

CVSS v2.0: 5.5 (Medium)

UNAFFECTED VERSIONS

< 1.0.0

PATCHED VERSIONS

>= 1.1.1

DESCRIPTION

The rails_admin gem is vulnerable to cross-site request forgery (CSRF) attacks. Due to a bug, non-GET methods were not validating CSRF tokens and, as a result, an attacker could hypothetically gain access to the application administrative endpoints exposed by the gem.

https://nvd.nist.gov/vuln/detail/CVE-2016-10522
https://www.sourceclear.com/registry/security/cross-site-request-forgery-csrf-/ruby/sid-3173
https://github.com/sferik/rails_admin/commit/b13e879eb93b661204e9fb5e55f7afa4f397537a
https://advisories.gitlab.com/pkg/gem/rails_admin/SRCCLR-SID-3173
https://github.com/advisories/GHSA-pxqr-8v54-m2hj

RubySec