CVE-2008-7248: Input Validation
First published: Tue Nov 18 2008(Updated: )
A possibility to circumvent protection against cross-site request forgery (CSRF) attacks was found in Ruby on Rails. Quoting upstream security advisory for exact details: There is a bug in all 2.1.x versions of Ruby on Rails which affects the effectiveness of the CSRF protection given by protect_from_forgery. By design rails does not perform token verification on requests with certain content types not typically generated by browsers. Unfortunately this list also included ‘text/plain’ which can be generated by browsers. Requests can be crafted which will circumvent the CSRF protection entirely. Rails does not parse the parameters provided with these requests, but that may not be enough to protect your application. References: ----------- <a href="http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html">http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html</a> <a href="http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1">http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1</a> Upstream patch: --------------- <a href="http://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a">http://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a</a> CVE Request: ------------ <a href="http://www.openwall.com/lists/oss-security/2009/11/28/1">http://www.openwall.com/lists/oss-security/2009/11/28/1</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/actionpack | >=2.2.0<2.2.2 | 2.2.2 |
| rubygems/actionpack | >=2.1.0<2.1.3 | 2.1.3 |
| Ruby on Rails | =2.1.0 | |
| Ruby on Rails | =2.1.1 | |
| Ruby on Rails | =2.1.2 | |
| Ruby on Rails | =2.2.0 | |
| Ruby on Rails | =2.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2008-7248
- https://access.redhat.com/security/cve/CVE-2008-7248
- https://bugzilla.redhat.com/show_bug.cgi?id=544329
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en
- https://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
- https://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
- https://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1
- https://www.openwall.com/lists/oss-security/2009/11/28/1
- https://www.openwall.com/lists/oss-security/2009/12/02/2
- https://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2008-7248.yml
- http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en
- http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
- http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
- http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1
- http://www.openwall.com/lists/oss-security/2009/11/28/1
- http://www.openwall.com/lists/oss-security/2009/12/02/2
- https://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a
- https://web.archive.org/web/20090906010200/https://www.vupen.com/english/advisories/2009/2544
- https://github.com/advisories/GHSA-8fqx-7pv4-3jwm (Advisory)
- http://secunia.com/advisories/36600
- http://secunia.com/advisories/38915
- http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html
- http://www.vupen.com/english/advisories/2009/2544
- http://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a
- https://rails.lighthouseapp.com/projects/8994/tickets/1145-bug-invalidauthenticitytoken-incorrectly-raised-for-xml-controllerdestroy-request
- http://github.com/rails/rails/commit/f1ad8b48aae3ee26613b3e77bc0056e120096846
- http://admin.fedoraproject.org/updates/rubygem-actionpack-2.1.1-5.fc10
- http://admin.fedoraproject.org/updates/rubygem-actionpack-2.1.1-5.el5
- https://www.cve.org/CVERecord?id=CVE-2008-7248 https://nvd.nist.gov/vuln/detail/CVE-2008-7248
- https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2008-7248.json
Frequently Asked Questions
What is the severity of CVE-2008-7248?
CVE-2008-7248 is considered to be a medium severity vulnerability due to its potential to allow cross-site request forgery attacks.
How do I fix CVE-2008-7248?
To fix CVE-2008-7248, upgrade to Ruby on Rails versions 2.1.3 or 2.2.2 or higher.
Which versions of Ruby on Rails are affected by CVE-2008-7248?
Versions 2.1.0, 2.1.1, 2.1.2, 2.2.0, and 2.2.1 of Ruby on Rails are affected by CVE-2008-7248.
What type of attacks can CVE-2008-7248 potentially allow?
CVE-2008-7248 can potentially allow attackers to exploit cross-site request forgery (CSRF) vulnerabilities.
Is CVE-2008-7248 associated with any specific software packages?
Yes, CVE-2008-7248 is specifically associated with the Ruby on Rails framework, particularly the actionpack package.
- collector/github-advisory-latest
- alias/GHSA-8fqx-7pv4-3jwm
- alias/CVE-2008-7248
- collector/github-advisory
- agent/weakness
- agent/author
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/redhat-cve
- source/Red Hat
- collector/redhat-bugzilla
- agent/severity
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-historical
- package-manager/rubygems
- vendor/rubyonrails
- canonical/ruby on rails
- version/ruby on rails/2.1.0
- version/ruby on rails/2.1.1
- version/ruby on rails/2.1.2
- version/ruby on rails/2.2.0
- version/ruby on rails/2.2.1