Bug 1172182

Summary: VUL-1: CVE-2020-8166: rubygem-rails-4_2,rubygem-rails-5_1: Ability to forge per-form CSRF tokens given a global CSRF token
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Manuel Schnitzer <mschnitzer>
Status: CONFIRMED --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andreas.taschner, johannes.grassler, kberger, wolfgang.frisch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/260133/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-8166:3.7:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: patch v5.2
patch v6.0

Description Alexandros Toptsoglou 2020-05-27 13:18:25 UTC
CVE-2020-8166

Ability to forge per-form CSRF tokens given a global CSRF token

It is possible, given a global CSRF token such as the one
present in the authenticity_token meta tag, forge a per-form CSRF token for
any action for that session. This vulnerability has been assigned the CVE
identifier CVE-2020-8166.

Versions Affected:  rails < 5.2.5, rails < 6.0.4
Not affected:       Applications without existing HTML injection vulnerabilities.
Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1

Impact
------

Given the ability to extract the global CSRF token, an attacker would be able to
construct a per-form CSRF token for that session.

Releases
--------

The fixed releases are available on RubyGems.

Workarounds
-----------

This is a low-severity security issue. As such, no workaround is necessarily
until such time as the application can be upgraded.

Patches
-------

For developers who are not able to immediately patch their applications,
we are including the following patches for Rails 6.0.3 and Rails 5.2.4.2.

* 5-2-per-form-csrf.patch - Patch for 5.2 series
* 6-0-per-form-csrf.patch - Patch for 6.0 series

Reference 

https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Comment 1 Alexandros Toptsoglou 2020-05-27 13:20:25 UTC
Created attachment 838253 [details]
patch v5.2
Comment 2 Alexandros Toptsoglou 2020-05-27 13:20:47 UTC
Created attachment 838254 [details]
patch v6.0
Comment 5 Alexandros Toptsoglou 2020-07-29 09:04:06 UTC
Tracked   rubygem-rails-5_1  in SLE15 as affected. Additionally, there is  rubygem-rails-5.2 in Leap 15.1 15.2 and Factory which are all affected.
Comment 6 Wolfgang Frisch 2020-10-14 13:17:21 UTC
openSUSE Leap is imported from SUSE:SLE-15:Update and
openSUSE Factory has since been fixed incidentally.

Can you please submit an update for SUSE:SLE-15:Update?

Additional references:
https://bugzilla.redhat.com/show_bug.cgi?id=1843152
http://www.debian.org/security/-1/dsa-4766
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8166.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8166
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
Comment 8 Swamp Workflow Management 2020-10-26 14:21:51 UTC
SUSE-SU-2020:3036-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1165548,1168554,1172177,1172182,1172184,1172186,1173351
CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    rmt-server-2.6.5-3.3.1
SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src):    rmt-server-2.6.5-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-11-04 14:17:09 UTC
SUSE-SU-2020:3147-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1172177,1172182,1172184,1172186,1173351
CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    rmt-server-2.6.5-3.34.1
SUSE Linux Enterprise Server 15-LTSS (src):    rmt-server-2.6.5-3.34.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    rmt-server-2.6.5-3.34.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    rmt-server-2.6.5-3.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-11-05 14:21:51 UTC
SUSE-SU-2020:3160-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1172177,1172182,1172184,1172186,1173351
CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    rmt-server-2.6.5-3.18.1
SUSE Linux Enterprise Module for Public Cloud 15-SP1 (src):    rmt-server-2.6.5-3.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2020-11-21 17:16:56 UTC
openSUSE-SU-2020:1993-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1165548,1168554,1172177,1172182,1172184,1172186,1173351
CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    rmt-server-2.6.5-lp152.2.3.1
Comment 13 Swamp Workflow Management 2020-11-23 14:23:29 UTC
openSUSE-SU-2020:2000-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1172177,1172182,1172184,1172186,1173351
CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    rmt-server-2.6.5-lp151.2.18.2
Comment 14 Wolfgang Frisch 2020-12-09 16:32:41 UTC
rubygem-rails-5_1 on SUSE:SLE-15:Update is still tracked as affected.
Comment 15 OBSbugzilla Bot 2021-05-18 09:21:35 UTC
This is an autogenerated message for OBS integration:
This bug (1172182) was mentioned in
https://build.opensuse.org/request/show/893979 Factory / rmt-server