6.8

CVSS Score

Basic Information

CVE ID

CVE-2008-7248

GHSA ID

GHSA-8fqx-7pv4-3jwm

EPSS Score

0.93234%

CWE

CWE-20

Published

10/24/2017

Updated

5/26/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2008-7248

CVE-2008-7248: Improper Input Validation in actionpack

Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.

(GitHub Advisory)

6.8

CVSS Score

Basic Information

CVE ID

CVE-2008-7248

GHSA ID

GHSA-8fqx-7pv4-3jwm

EPSS Score

0.93234%

CWE

CWE-20

Published

10/24/2017

Updated

5/26/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
actionpack	rubygems	>= 2.1.0, < 2.1.3	2.1.3
actionpack	rubygems	>= 2.2.0, < 2.2.2	2.2.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Rails' failure to verify CSRF tokens for text/plain requests. The GitHub patch shows the critical change was removing :text from the @@unverifiable_types set in Mime::Type. This set determines which content types bypass token validation. By including :text in this list, the framework incorrectly classified text/plain requests as 'unverifiable', exempting them from CSRF checks. The direct code modification in the commit confirms this was the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Ru*y on R*ils *.* ***or* *.*.* *n* *.*.x ***or* *.*.* *o*s not v*ri*y tok*ns *or r*qu*sts wit* **rt*in *ont*nt typ*s, w*i** *llows r*mot* *tt**k*rs to *yp*ss *ross-sit* r*qu*st *or**ry (*SR*) prot**tion *or r*qu*sts to *ppli**tions t**t r*ly on t*is

Reasoning

T** vuln*r**ility st*ms *rom R*ils' **ilur* to v*ri*y *SR* tok*ns *or t*xt/pl*in r*qu*sts. T** *it*u* p*t** s*ows t** *riti**l ***n** w*s r*movin* :t*xt *rom t** @@unv*ri*i**l*_typ*s s*t in `Mim*::Typ*`. T*is s*t **t*rmin*s w*i** *ont*nt typ*s *yp*ss

6.8

Basic Information

Concerned about an active attack path?

CVE-2008-7248: Improper Input Validation in actionpack

6.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI