CVE-2008-7248: Improper Input Validation in actionpack
6.8
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.93234%
CWE
Published
10/24/2017
Updated
5/26/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
AV:N/AC:M/Au:N/C:P/I:P/A:P
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
actionpack | rubygems | >= 2.1.0, < 2.1.3 | 2.1.3 |
actionpack | rubygems | >= 2.2.0, < 2.2.2 | 2.2.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from Rails' failure to verify CSRF tokens for text/plain requests. The GitHub patch shows the critical change was removing :text from the @@unverifiable_types set in Mime::Type
. This set determines which content types bypass token validation. By including :text in this list, the framework incorrectly classified text/plain requests as 'unverifiable', exempting them from CSRF checks. The direct code modification in the commit confirms this was the root cause.