First published: Tue Sep 07 2021(Updated: )
better_errors is an open source replacement for the standard Rails error page with more information rich error pages. It is also usable outside of Rails in any Rack app as Rack middleware. better_errors prior to 2.8.0 did not implement CSRF protection for its internal requests. It also did not enforce the correct "Content-Type" header for these requests, which allowed a cross-origin "simple request" to be made without CORS protection. These together left an application with better_errors enabled open to cross-origin attacks. As a developer tool, better_errors documentation strongly recommends addition only to the `development` bundle group, so this vulnerability should only affect development environments. Please ensure that your project limits better_errors to the `development` group (or the non-Rails equivalent). Starting with release 2.8.x, CSRF protection is enforced. It is recommended that you upgrade to the latest release, or minimally to "~> 2.8.3". There are no known workarounds to mitigate the risk of using older releases of better_errors.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Better Errors Project Better Errors | <2.8.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-39197 is a vulnerability in the better_errors gem prior to version 2.8.0 that allows for potential CSRF attacks.
CVE-2021-39197 has a severity score of 8.8, which is considered high.
The Better Errors gem prior to version 2.8.0 is affected by CVE-2021-39197.
The Common Weakness Enumeration (CWE) ID for CVE-2021-39197 is CWE-352.
To fix CVE-2021-39197, upgrade to version 2.8.0 or later of the Better Errors gem.