RubySec

Providing security resources for the Ruby community

CVE-2020-8166 (actionpack): Ability to forge per-form CSRF tokens given a global CSRF token

ADVISORIES

GEM

actionpack

FRAMEWORK

rails

PATCHED VERSIONS

  • ~> 5.2.4, >= 5.2.4.3
  • >= 6.0.3.1

DESCRIPTION

It is possible to possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session.

Versions Affected: rails < 5.2.5, rails < 6.0.4 Not affected: Applications without existing HTML injection vulnerabilities. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact

Given the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session.

Workarounds

This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.