Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Rubyonrails
  • Rails

Configuration 1 [-]

OR cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*

No data.

References
Link Providers
http://groups.google.com/group/rubyonrails-security/msg/c22ea1668c0d181c?dmode=source&output=gplain cve-icon cve-icon
http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html cve-icon cve-icon
http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html cve-icon cve-icon
http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html cve-icon cve-icon
http://secunia.com/advisories/43274 cve-icon cve-icon
http://secunia.com/advisories/43666 cve-icon cve-icon
http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails cve-icon cve-icon
http://www.debian.org/security/2011/dsa-2247 cve-icon cve-icon
http://www.securityfocus.com/bid/46291 cve-icon cve-icon
http://www.securitytracker.com/id?1025060 cve-icon cve-icon
http://www.vupen.com/english/advisories/2011/0587 cve-icon cve-icon
http://www.vupen.com/english/advisories/2011/0877 cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2011-02-14T20:00:00

Updated: 2024-08-06T21:51:09.065Z

Reserved: 2011-01-13T00:00:00

Link: CVE-2011-0447

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2011-02-14T21:00:03.087

Modified: 2019-08-08T15:41:32.003

Link: CVE-2011-0447

cve-icon Redhat

No data.