4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-16252

GHSA ID

GHSA-w542-cpp9-r3g7

EPSS Score

0.32978%

CWE

CWE-352

Published

8/5/2020

Updated

7/5/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-16252

CVE-2020-16252:
Field Test CSRF vulnerability

The Field Test dashboard is vulnerable to cross-site request forgery (CSRF) with non-session based authentication methods in versions v0.2.0 through v0.3.2.

Impact

The Field Test dashboard is vulnerable to CSRF with non-session based authentication methods, like basic authentication. Session-based authentication methods (like Devise's default authentication) are not affected.

A CSRF attack works by getting an authorized user to visit a malicious website and then performing requests on behalf of the user. In this instance, a single endpoint is affected, which allows for changing the variant assigned to a user.

All users running an affected release should upgrade immediately.

Technical Details

Field Test uses the protect_from_forgery method from Rails to prevent CSRF. However, this defaults to :null_session, which has no effect on non-session based authentication methods. This has been changed to protect_from_forgery with: :exception.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-16252

GHSA ID

GHSA-w542-cpp9-r3g7

EPSS Score

0.32978%

CWE

CWE-352

Published

8/5/2020

Updated

7/5/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
field_test	rubygems	>= 0.2.0, <= 0.3.2	0.4.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Rails' protect_from_forgery defaulting to :null_session, which only clears the session when CSRF validation fails. Since non-session authentication methods (like HTTP Basic Auth) don't rely on session cookies, this strategy fails to protect them. The fix explicitly sets with: :exception to enforce CSRF token validation regardless of authentication method. The affected code is directly shown in the commit diff modifying BaseController.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *i*l* T*st **s**o*r* is vuln*r**l* to *ross-sit* r*qu*st *or**ry (*SR*) wit* non-s*ssion **s** *ut**nti**tion m*t*o*s in v*rsions v*.*.* t*rou** v*.*.*. ## Imp**t T** *i*l* T*st **s**o*r* is vuln*r**l* to *SR* wit* non-s*ssion **s** *ut**nti**ti

Reasoning

T** vuln*r**ility st*ms *rom R*ils' `prot**t_*rom_*or**ry` ****ultin* to `:null_s*ssion`, w*i** only *l**rs t** s*ssion w**n *SR* v*li**tion **ils. Sin** non-s*ssion *ut**nti**tion m*t*o*s (lik* *TTP **si* *ut*) *on't r*ly on s*ssion *ooki*s, t*is st

4.3

Basic Information

Concerned about an active attack path?

CVE-2020-16252: Field Test CSRF vulnerability

Impact

Technical Details

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-16252:
Field Test CSRF vulnerability

Vulnerability Intelligence
Miggo AI