Bugzilla – Bug 1172184
VUL-0: CVE-2020-8167: rubygem-actionview-5_1, rubygem-actionpack-5_1: CSRF Vulnerability in rails-ujs
Last modified: 2022-09-28 16:39:25 UTC
CSRF Vulnerability in rails-ujs There is an vulnerability in rails-ujs that allows attackers to send CSRF tokens to wrong domains. This vulnerability has been assigned the CVE identifier CVE-2020-8167. Versions Affected: rails <= 6.0.3 Not affected: Applications which don't use rails-ujs. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ This is a regression of CVE-2015-1840. In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to a cross-origin URL, and the CSRF token will be sent. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- To work around this problem, change code that allows users to control the href attribute of an anchor tag or the action attribute of a form tag to filter the user parameters. For example, code like this: link_to params to code like this: link_to filtered_params def filtered_params # Filter just the parameters that you trust end Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the supported release series. They are in git-am format and consist of a single changeset. * 5-2-rails-ujs.patch - Patch for 5.2 series * 6-0-rails-ujs.patch - Patch for 6.0 series Credits ------- Thanks to Ben Toews of GitHub for reporting the vulnerability to us.
Reference https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
Created attachment 838257 [details] patch v5.2
Created attachment 838258 [details] patch v6.0
While this may affect rubygem-actionpack-*, the fix needs to happen in rubygem-actionview. Took me a while to figure out that one is where ajax.coffee actually resides, so leaving this information here for future reference. Regarding SUSE OpenStack Cloud: we are using ActionView 4.2 which does not even have rails-ujs, yet (it got added in a later version) in SUSE OpenStack Cloud 7, 8 and 9. Hence SUSE OpenStack cloud is not affected by this CVE.
Tracked rubygem-actionview-5_1 as affected. Assigned to its maintainer.
Please submit rubygem-actionview-5_1 to SUSE:SLE-15:Update. Upstream commit: https://github.com/rails/rails/commit/a20fbf9bc52e9596a675c1071ab3fe052ac4f0dc
SUSE-SU-2020:3036-1: An update that fixes 16 vulnerabilities is now available. Category: security (important) Bug References: 1165548,1168554,1172177,1172182,1172184,1172186,1173351 CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): rmt-server-2.6.5-3.3.1 SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src): rmt-server-2.6.5-3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3147-1: An update that fixes 16 vulnerabilities is now available. Category: security (important) Bug References: 1172177,1172182,1172184,1172186,1173351 CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): rmt-server-2.6.5-3.34.1 SUSE Linux Enterprise Server 15-LTSS (src): rmt-server-2.6.5-3.34.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): rmt-server-2.6.5-3.34.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): rmt-server-2.6.5-3.34.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3160-1: An update that fixes 16 vulnerabilities is now available. Category: security (important) Bug References: 1172177,1172182,1172184,1172186,1173351 CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): rmt-server-2.6.5-3.18.1 SUSE Linux Enterprise Module for Public Cloud 15-SP1 (src): rmt-server-2.6.5-3.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:1993-1: An update that fixes 16 vulnerabilities is now available. Category: security (important) Bug References: 1165548,1168554,1172177,1172182,1172184,1172186,1173351 CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185 JIRA References: Sources used: openSUSE Leap 15.2 (src): rmt-server-2.6.5-lp152.2.3.1
openSUSE-SU-2020:2000-1: An update that fixes 16 vulnerabilities is now available. Category: security (important) Bug References: 1172177,1172182,1172184,1172186,1173351 CVE References: CVE-2019-16770,CVE-2019-5418,CVE-2019-5419,CVE-2019-5420,CVE-2020-11076,CVE-2020-11077,CVE-2020-15169,CVE-2020-5247,CVE-2020-5249,CVE-2020-5267,CVE-2020-8164,CVE-2020-8165,CVE-2020-8166,CVE-2020-8167,CVE-2020-8184,CVE-2020-8185 JIRA References: Sources used: openSUSE Leap 15.1 (src): rmt-server-2.6.5-lp151.2.18.2
This is an autogenerated message for OBS integration: This bug (1172184) was mentioned in https://build.opensuse.org/request/show/893979 Factory / rmt-server