Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2010-3978

CVE-2010-3978:
Spree allows remote attackers to obtain sensitive information

5

CVSS Score

Basic Information

CVE ID
CVE-2010-3978
GHSA ID
GHSA-hwrx-wc75-mgh7
EPSS Score
-
CWE
CWE-200
Published
5/14/2022
Updated
8/29/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
spreerubygems>= 0.11.0, < 0.11.20.11.2
spreerubygems= 0.30.0.beta10.30.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing CSRF token validation in JSON endpoints. The patch adds 'before_filter :check_json_authenticity' to these controllers, confirming they previously lacked this protection. The commit diff shows these endpoints were vulnerable because they returned sensitive data without validating the authenticity token in GET requests, a classic JSON hijacking vector. The admin_token_passed_in_headers method in api/base_controller.rb was also vulnerable but primarily impacts API access rather than the admin UI endpoints explicitly mentioned in the CVE description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Spr** *.**.x ***or* *.**.* *n* *.**.x ***or* *.**.* *x***n**s **t* usin* J*v*S*ript O*j**t Not*tion (JSON) wit*out * m****nism *or v*li**tin* r*qu*sts, w*i** *llows r*mot* *tt**k*rs to o*t*in s*nsitiv* in*orm*tion vi* v**tors involvin* (*) `**min/pro

Reasoning

T** vuln*r**ility st*ms *rom missin* *SR* tok*n v*li**tion in JSON *n*points. T** p*t** ***s '***or*_*ilt*r :****k_json_*ut**nti*ity' to t**s* *ontroll*rs, *on*irmin* t**y pr*viously l**k** t*is prot**tion. T** *ommit *i** s*ows t**s* *n*points w*r*