CSRF token fixation attacks in Devise
Published: August 02, 2013
SECURITY IDENTIFIERS
- OSVDB: OSVDB-114435
- Vendor Advisory: http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/
GEM
PATCHED VERSIONS
~> 2.2.5
>= 3.0.1
DESCRIPTION
Devise contains a flaw that allows a remote, user-assisted attacker to conduct a CSRF token fixation attack. This issue is triggered as previous CSRF tokens are not properly invalidated when a new token is created. If an attacker has knowledge of said token, a specially crafted request can be made to it, allowing the attacker to conduct CSRF attacks.
RELATED
- http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise
- https://github.com/heartcombo/devise/commit/747751a20f50aa8814dcd3eb9a3648f00ab6a707
- https://github.com/heartcombo/devise/compare/v3.0.0...v3.0.1
- https://my.diffend.io/gems/devise/3.0.0/3.0.1
- https://security.snyk.io/vuln/SNYK-RUBY-DEVISE-20103