-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2011-0447.yml
37 lines (37 loc) · 1.71 KB
/
CVE-2011-0447.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
---
gem: actionpack
framework: rails
cve: 2011-0447
ghsa: 24fg-p96v-hxh8
url: http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
title: CSRF Protection Bypass in Ruby on Rails
date: 2017-10-24
description: |
Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and
3.x before 3.0.4, does not properly validate HTTP requests that
contain an X-Requested-With header, which makes it easier for
remote attackers to conduct cross-site request forgery (CSRF)
attacks via forged (1) AJAX or (2) API requests that leverage
"combinations of browser plugins and HTTP redirects,"
a related issue to CVE-2011-0696.
cvss_v2: 6.8
unaffected_versions:
- "< 2.1.0"
patched_versions:
- "~> 2.3.11"
- ">= 3.0.4"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2011-0447
- http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
- https://groups.google.com/g/rubyonrails-security/c/LZWjzCPgNmU/m/HBgNjGahLsIJ
- https://github.com/advisories/GHSA-24fg-p96v-hxh8
- http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html
- https://bugzilla.redhat.com/show_bug.cgi?id=677631
- http://www.debian.org/security/2011/dsa-2247
- https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43274
- https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43666
- https://web.archive.org/web/20210121211512/http://www.securityfocus.com/bid/46291
- https://web.archive.org/web/20201208053819/http://www.securitytracker.com/id?1025060