Miggo Logo

CVE-2021-29435: Cross-Site Request Forgery (CSRF) in trestle-auth

8.1

CVSS Score
3.1

Basic Information

EPSS Score
0.35561%
Published
4/13/2021
Updated
5/4/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
trestle-authrubygems>= 0.4.0, < 0.4.20.4.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from the execution order of before_actions. The commit diff shows the fix involved adding 'protect_from_forgery prepend: true' to ensure CSRF checks occur before authentication. In vulnerable versions, the authentication before_actions were prepended first, making CSRF validation happen after authentication. This allowed forged requests to bypass CSRF checks once the user was authenticated. The root cause is the inclusion order in the Authentication module's 'included' block.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * vuln*r**ility in tr*stl*-*ut* v*rsions *.*.* *n* *.*.* *llows *n *tt**k*r to *r**t* * *orm t**t will *yp*ss R*ils' *uilt-in *SR* prot**tion w**n su*mitt** *y * vi*tim wit* * tr*stl*-*ut* **min s*ssion. T*is pot*nti*lly *llows *n *tt**k*r

Reasoning

T** vuln*r**ility st*mm** *rom t** *x**ution or**r o* ***or*_**tions. T** *ommit *i** s*ows t** *ix involv** ***in* 'prot**t_*rom_*or**ry pr*p*n*: tru*' to *nsur* *SR* ****ks o**ur ***or* *ut**nti**tion. In vuln*r**l* v*rsions, t** *ut**nti**tion ***