CSRF Vulnerability with Non-Session Based Authentication
Published: August 04, 2020
SECURITY IDENTIFIERS
- CVE: CVE-2020-16252 (NVD)
- GHSA: GHSA-w542-cpp9-r3g7
- Vendor Advisory: https://github.com/ankane/field_test/issues/28
GEM
SEVERITY
CVSS v3.x: 4.3 (Medium)
UNAFFECTED VERSIONS
< 0.2.0
PATCHED VERSIONS
>= 0.4.0
DESCRIPTION
The Field Test dashboard is vulnerable to CSRF with non-session based authentication methods.
Impact
The Field Test dashboard is vulnerable to CSRF with non-session based authentication methods, like basic authentication. Session-based authentication methods (like Devise's default authentication) are not affected.
A CSRF attack works by getting an authorized user to visit a malicious website and then performing requests on behalf of the user. In this instance, a single endpoint is affected, which allows for changing the variant assigned to a user.