CSRF Vulnerability with Rails < 5.2
Published: February 01, 2023
SECURITY IDENTIFIERS
- CVE: CVE-2023-25015 (NVD)
- GHSA: GHSA-p4xx-w6fr-c4w9
- Vendor Advisory: https://github.com/ankane/clockwork_web/issues/4
GEM
SEVERITY
CVSS v3.x: 6.5 (Medium)
PATCHED VERSIONS
>= 0.1.2
DESCRIPTION
Clockwork Web is vulnerable to cross-site request forgery (CSRF) with Rails < 5.2.
A CSRF attack works by getting an authorized user to visit a malicious website and then performing requests on behalf of the user. In this instance, actions include enabling and disabling jobs.