What is CVE-2021-39197?

CVE-2021-39197 is a vulnerability in the better_errors gem prior to version 2.8.0 that allows for potential CSRF attacks.

How severe is CVE-2021-39197?

CVE-2021-39197 has a severity score of 8.8, which is considered high.

What software is affected by CVE-2021-39197?

The Better Errors gem prior to version 2.8.0 is affected by CVE-2021-39197.

What is the Common Weakness Enumeration (CWE) ID for CVE-2021-39197?

The Common Weakness Enumeration (CWE) ID for CVE-2021-39197 is CWE-352.

How can I fix CVE-2021-39197?

To fix CVE-2021-39197, upgrade to version 2.8.0 or later of the Better Errors gem.

Vulnerability/
CVE-2021-39197

high

8.8

CWE

352

7/9/2021

14/9/2021

CVE-2021-39197: CSRF

First published: Tue Sep 07 2021(Updated: )

better_errors is an open source replacement for the standard Rails error page with more information rich error pages. It is also usable outside of Rails in any Rack app as Rack middleware. better_errors prior to 2.8.0 did not implement CSRF protection for its internal requests. It also did not enforce the correct "Content-Type" header for these requests, which allowed a cross-origin "simple request" to be made without CORS protection. These together left an application with better_errors enabled open to cross-origin attacks. As a developer tool, better_errors documentation strongly recommends addition only to the `development` bundle group, so this vulnerability should only affect development environments. Please ensure that your project limits better_errors to the `development` group (or the non-Rails equivalent). Starting with release 2.8.x, CSRF protection is enforced. It is recommended that you upgrade to the latest release, or minimally to "~> 2.8.3". There are no known workarounds to mitigate the risk of using older releases of better_errors.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Better Errors Project Better Errors	<2.8.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-39197?
CVE-2021-39197 is a vulnerability in the better_errors gem prior to version 2.8.0 that allows for potential CSRF attacks.
How severe is CVE-2021-39197?
CVE-2021-39197 has a severity score of 8.8, which is considered high.
What software is affected by CVE-2021-39197?
The Better Errors gem prior to version 2.8.0 is affected by CVE-2021-39197.
What is the Common Weakness Enumeration (CWE) ID for CVE-2021-39197?
The Common Weakness Enumeration (CWE) ID for CVE-2021-39197 is CWE-352.
How can I fix CVE-2021-39197?
To fix CVE-2021-39197, upgrade to version 2.8.0 or later of the Better Errors gem.

collector/nvd-index
vendor/better errors project
canonical/better errors project better errors

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.