Miggo Logo

CVE-2008-7248: Improper Input Validation in actionpack

6.8

CVSS Score

Basic Information

EPSS Score
0.93234%
Published
10/24/2017
Updated
5/26/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:P/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
actionpackrubygems>= 2.1.0, < 2.1.32.1.3
actionpackrubygems>= 2.2.0, < 2.2.22.2.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from Rails' failure to verify CSRF tokens for text/plain requests. The GitHub patch shows the critical change was removing :text from the @@unverifiable_types set in Mime::Type. This set determines which content types bypass token validation. By including :text in this list, the framework incorrectly classified text/plain requests as 'unverifiable', exempting them from CSRF checks. The direct code modification in the commit confirms this was the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Ru*y on R*ils *.* ***or* *.*.* *n* *.*.x ***or* *.*.* *o*s not v*ri*y tok*ns *or r*qu*sts wit* **rt*in *ont*nt typ*s, w*i** *llows r*mot* *tt**k*rs to *yp*ss *ross-sit* r*qu*st *or**ry (*SR*) prot**tion *or r*qu*sts to *ppli**tions t**t r*ly on t*is

Reasoning

T** vuln*r**ility st*ms *rom R*ils' **ilur* to v*ri*y *SR* tok*ns *or t*xt/pl*in r*qu*sts. T** *it*u* p*t** s*ows t** *riti**l ***n** w*s r*movin* :t*xt *rom t** @@unv*ri*i**l*_typ*s s*t in `Mim*::Typ*`. T*is s*t **t*rmin*s w*i** *ont*nt typ*s *yp*ss