6.8

CVE-2011-0447

Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RubyonrailsRails Version2.1.0
RubyonrailsRails Version2.1.1
RubyonrailsRails Version2.1.2
RubyonrailsRails Version2.2.0
RubyonrailsRails Version2.2.1
RubyonrailsRails Version2.2.2
RubyonrailsRails Version2.3.2
RubyonrailsRails Version2.3.3
RubyonrailsRails Version2.3.4
RubyonrailsRails Version2.3.9
RubyonrailsRails Version2.3.10
RubyonrailsRails Version3.0.0
RubyonrailsRails Version3.0.0 Updatebeta
RubyonrailsRails Version3.0.0 Updatebeta2
RubyonrailsRails Version3.0.0 Updatebeta3
RubyonrailsRails Version3.0.0 Updatebeta4
RubyonrailsRails Version3.0.0 Updaterc
RubyonrailsRails Version3.0.0 Updaterc2
RubyonrailsRails Version3.0.1
RubyonrailsRails Version3.0.1 Updatepre
RubyonrailsRails Version3.0.2
RubyonrailsRails Version3.0.2 Updatepre
RubyonrailsRails Version3.0.3
RubyonrailsRails Version3.0.4 Updaterc1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.41% 0.691
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html
http://secunia.com/advisories/43274
http://secunia.com/advisories/43666
http://www.debian.org/security/2011/dsa-2247
http://www.securityfocus.com/bid/46291
http://www.vupen.com/english/advisories/2011/0587
http://www.vupen.com/english/advisories/2011/0877
http://groups.google.com/group/rubyonrails-security/msg/c22ea1668c0d181c?dmode=source&output=gplain
Patch
http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
Patch
Vendor Advisory
http://www.securitytracker.com/id?1025060