ADVISORIES
GEM
SEVERITY
CVSS v3.x: 8.1 (High)
PATCHED VERSIONS
- >= 2.7.0
DESCRIPTION
The PgHero dashboard is vulnerable to CSRF with non-session based authentication methods.
Impact
The PgHero dashboard is vulnerable to cross-site request forgery (CSRF). This affects the Docker image, Linux packages, and in specific cases, the Ruby gem. The Ruby gem is vulnerable with non-session based authentication methods like basic authentication - session-based authentication methods (like Devise’s default authentication) are not affected.
A CSRF attack works by getting an authorized user to visit a malicious website and then performing requests on behalf of the user. In this instance, actions include:
- Canceling running queries
- Running
EXPLAINon queries (without seeing the results, but can be used for denial of service and other attacks) - Resetting query stats (running
pg_stat_statements_reset())