Miggo Logo
Miggo Vulnerability Database
CVE-2020-8167

CVE-2020-8167:
CSRF Vulnerability in rails-ujs

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-8167
GHSA ID
GHSA-xq5j-gw7f-jgj8
EPSS Score
0.68287%
CWE
CWE-352
Published
7/7/2020
Updated
8/17/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
actionviewrubygems>= 5.0.0, <= 5.2.4.25.2.4.3
actionviewrubygems>= 6.0.0, <= 6.0.36.0.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability occurs when rails-ujs adds CSRF tokens to cross-origin requests. The handleMethod function in method.coffee is responsible for processing AJAX requests from links/forms. Pre-patch versions lacked cross-origin validation before token inclusion. Runtime detection would show this function in call stacks when malicious links/forms trigger unauthorized token transmission.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T**r* is * vuln*r**ility in r*ils-ujs t**t *llows *tt**k*rs to s*n* *SR* tok*ns to wron* *om*ins. V*rsions *****t**: r*ils <= *.*.* Not *****t**: *ppli**tions w*i** *on't us* r*ils-ujs. *ix** V*rsions: r*ils >= *.*.*.*, r*ils >= *.*.*.*

Reasoning

T** vuln*r**ility o**urs w**n r*ils-ujs ***s *SR* tok*ns to *ross-ori*in r*qu*sts. T** `**n*l*M*t*o*` *un*tion in `m*t*o*.*o****` is r*sponsi*l* *or pro**ssin* *J*X r*qu*sts *rom links/*orms. Pr*-p*t** v*rsions l**k** *ross-ori*in v*li**tion ***or* t