CVE-2020-8166

NameCVE-2020-8166
DescriptionA CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4766-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rails (PTS)stretch2:4.2.7.1-1+deb9u2fixed
stretch (security)2:4.2.7.1-1+deb9u4fixed
buster2:5.2.2.1+dfsg-1+deb10u1vulnerable
buster (security)2:5.2.2.1+dfsg-1+deb10u2fixed
bullseye, sid2:6.0.3.4+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
railssourcejessie(not affected)
railssourcestretch(not affected)
railssourcebuster2:5.2.2.1+dfsg-1+deb10u2DSA-4766-1
railssource(unstable)2:5.2.4.3+dfsg-1

Notes

[stretch] - rails <not-affected> (Vulnerable code introduced later)
[jessie] - rails <not-affected> (Vulnerable code introduced later)
https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released
https://github.com/rails/rails/commit/d124f19287f4892c72ca54da728a781591c6fca1 (5.2)
per-form CSRF token introduced in 5.x: https://github.com/rails/rails/commit/3e98819e20bc113343d4d4c0df614865ad5a9d3a

Search for package or bug name: Reporting problems