RubySec

Providing security resources for the Ruby community

CVE-2020-16252 (field_test): CSRF Vulnerability with Non-Session Based Authentication

ADVISORIES

GEM

field_test

SEVERITY

CVSS v3: 4.3 (Medium)

UNAFFECTED VERSIONS

  • < 0.2.0

PATCHED VERSIONS

  • >= 0.4.0

DESCRIPTION

The Field Test dashboard is vulnerable to CSRF with non-session based authentication methods.

Impact

The Field Test dashboard is vulnerable to CSRF with non-session based authentication methods, like basic authentication. Session-based authentication methods (like Devise’s default authentication) are not affected.

A CSRF attack works by getting an authorized user to visit a malicious website and then performing requests on behalf of the user. In this instance, a single endpoint is affected, which allows for changing the variant assigned to a user.