6.8

CVSS Score

Basic Information

CVE ID

CVE-2011-0447

GHSA ID

GHSA-24fg-p96v-hxh8

EPSS Score

0.77708%

CWE

CWE-352

Published

10/24/2017

Updated

11/8/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2011-0447

CVE-2011-0447: actionpack Cross-Site Request Forgery vulnerability

Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696.

(GitHub Advisory)

6.8

CVSS Score

Basic Information

CVE ID

CVE-2011-0447

GHSA ID

GHSA-24fg-p96v-hxh8

EPSS Score

0.77708%

CWE

CWE-352

Published

10/24/2017

Updated

11/8/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
actionpack	rubygems	>= 2.1.0, < 2.3.11	2.3.11
actionpack	rubygems	>= 3.0.0, < 3.0.4	3.0.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key functions: 1) verified_request? relied on forgery_whitelisted? which improperly allowed XHR/non-HTML requests without CSRF tokens. 2) forgery_whitelisted? itself contained the flawed logic that permitted these unsafe validations. The patch removed XHR/content type checks and restricted whitelisting to GET requests, confirming these were the vulnerable components. The commit diff and CVE description directly correlate to these function changes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Ru*y on R*ils *.*.x, *.*.x, *n* *.*.x ***or* *.*.**, *n* *.x ***or* *.*.*, *o*s not prop*rly v*li**t* *TTP r*qu*sts t**t *ont*in *n X-R*qu*st**-Wit* *****r, w*i** m*k*s it **si*r *or r*mot* *tt**k*rs to *on*u*t *ross-sit* r*qu*st *or**ry (*SR*) *tt**

Reasoning

T** vuln*r**ility st*mm** *rom two k*y *un*tions: *) v*ri*i**_r*qu*st? r*li** on *or**ry_w*it*list**? w*i** improp*rly *llow** X*R/non-*TML r*qu*sts wit*out *SR* tok*ns. *) *or**ry_w*it*list**? its*l* *ont*in** t** *l*w** lo*i* t**t p*rmitt** t**s* u

6.8

Basic Information

Concerned about an active attack path?

CVE-2011-0447: actionpack Cross-Site Request Forgery vulnerability

6.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI