Base Score

MEDIUM4.3

CVE-2020-8166

A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.

VectorNETWORK

Published Bysupport@hackerone.com

Published DateJul 02, 2020, 19:15

Affected Versions(2)

actionpack(RubyGems)

Introduced5.0.0

Fixed5.2.4.3

LimitN/A

actionpack(RubyGems)

Introduced6.0.0

Fixed6.0.3.1

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
actionpack(RubyGems)	5.0.0	5.2.4.3	N/A
actionpack(RubyGems)	6.0.0	6.0.3.1	N/A

Weakness Type (CWE):CWE-352

CVSS Metrics

Base Score

4.3

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

LOW

Availability (A)

NONE

References

Base Score

MEDIUM4.3

Weakness Type (CWE):CWE-352

CVSS Metrics

Base Score

4.3

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

LOW

Availability (A)

NONE