CVE-2011-0447: actionpack Cross-Site Request Forgery vulnerability
6.8
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.77708%
CWE
Published
10/24/2017
Updated
11/8/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
AV:N/AC:M/Au:N/C:P/I:P/A:P
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
actionpack | rubygems | >= 2.1.0, < 2.3.11 | 2.3.11 |
actionpack | rubygems | >= 3.0.0, < 3.0.4 | 3.0.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from two key functions: 1) verified_request? relied on forgery_whitelisted? which improperly allowed XHR/non-HTML requests without CSRF tokens. 2) forgery_whitelisted? itself contained the flawed logic that permitted these unsafe validations. The patch removed XHR/content type checks and restricted whitelisting to GET requests, confirming these were the vulnerable components. The commit diff and CVE description directly correlate to these function changes.