Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2008-7248 — Improper Input Validation in Rails

CWE-20 — Improper Input Validation CWE-352 — Cross-Site Request Forgery9 documents8 sources

Severity

6.8MEDIUMNVD

EPSS

11.4%

top 6.41%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Rubyonrails Rails Actionpack Project Actionpack

Timeline

PublishedDec 16

Latest updateOct 24

Description

Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages3 packages

▶Debianrubyonrails/rails< 2.2.3-1+3

▶NVDrubyonrails/rails5 versions+4

▶RubyGemsactionpack_project/actionpack2.1.0 — 2.1.3+1

🔴Vulnerability Details

OSV

Improper Input Validation in actionpack↗2017-10-24

▶

GHSA

Improper Input Validation in actionpack↗2017-10-24

▶

CVEList

CVE-2008-7248: Ruby on Rails 2↗2009-12-16

▶

OSV

CVE-2008-7248: Ruby on Rails 2↗2009-12-16

▶

💥Exploits & PoCs

Exploit-DB

Ruby on Rails 2.3.5 - 'protect_from_forgery' Cross-Site Request Forgery↗2009-12-14

▶

📋Vendor Advisories

Red Hat

rubygem-actionpack: Potential CSRF protection circumvention↗2008-11-18

▶

Debian

CVE-2008-7248: rails - Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for...↗2008

▶

💬Community

Bugzilla

CVE-2008-7248 rubygem-actionpack: Potential CSRF protection circumvention↗2009-12-04

▶