fkie_cve-2011-0447
Vulnerability from fkie_nvd
Published
2011-02-14 21:00
Modified
2024-11-21 01:24
Severity ?
Summary
Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696.
References
cve@mitre.orghttp://groups.google.com/group/rubyonrails-security/msg/c22ea1668c0d181c?dmode=source&output=gplainPatch
cve@mitre.orghttp://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html
cve@mitre.orghttp://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html
cve@mitre.orghttp://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html
cve@mitre.orghttp://secunia.com/advisories/43274
cve@mitre.orghttp://secunia.com/advisories/43666
cve@mitre.orghttp://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-railsPatch, Vendor Advisory
cve@mitre.orghttp://www.debian.org/security/2011/dsa-2247
cve@mitre.orghttp://www.securityfocus.com/bid/46291
cve@mitre.orghttp://www.securitytracker.com/id?1025060
cve@mitre.orghttp://www.vupen.com/english/advisories/2011/0587
cve@mitre.orghttp://www.vupen.com/english/advisories/2011/0877
af854a3a-2127-422b-91ae-364da2661108http://groups.google.com/group/rubyonrails-security/msg/c22ea1668c0d181c?dmode=source&output=gplainPatch
af854a3a-2127-422b-91ae-364da2661108http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html
af854a3a-2127-422b-91ae-364da2661108http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html
af854a3a-2127-422b-91ae-364da2661108http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/43274
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/43666
af854a3a-2127-422b-91ae-364da2661108http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-railsPatch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.debian.org/security/2011/dsa-2247
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/46291
af854a3a-2127-422b-91ae-364da2661108http://www.securitytracker.com/id?1025060
af854a3a-2127-422b-91ae-364da2661108http://www.vupen.com/english/advisories/2011/0587
af854a3a-2127-422b-91ae-364da2661108http://www.vupen.com/english/advisories/2011/0877
Impacted products
Vendor Product Version
rubyonrails rails 2.1.0
rubyonrails rails 2.1.1
rubyonrails rails 2.1.2
rubyonrails rails 2.2.0
rubyonrails rails 2.2.1
rubyonrails rails 2.2.2
rubyonrails rails 2.3.2
rubyonrails rails 2.3.3
rubyonrails rails 2.3.4
rubyonrails rails 2.3.9
rubyonrails rails 2.3.10
rubyonrails rails 3.0.0
rubyonrails rails 3.0.0
rubyonrails rails 3.0.0
rubyonrails rails 3.0.0
rubyonrails rails 3.0.0
rubyonrails rails 3.0.0
rubyonrails rails 3.0.0
rubyonrails rails 3.0.1
rubyonrails rails 3.0.1
rubyonrails rails 3.0.2
rubyonrails rails 3.0.2
rubyonrails rails 3.0.3
rubyonrails rails 3.0.4


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "87B4B121-94BD-4E0F-8860-6239890043B9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "63CF211C-683E-4F7D-8C62-05B153AC1960",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "456A2F7E-CC66-48C4-B028-353D2976837A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9B1CDAFA-2AC6-4C46-9E65-0BE9127E770F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "F9806A84-2160-40EA-9960-AE7756CE4E0A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "07EC67D4-3D0F-4FF9-8197-71175DCB2723",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "D1467583-23E9-4E2B-982D-80A356174BB6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "4DC784C0-5618-4C32-8C17-BE7041656E14",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "CFB9ABB5-1F78-4CF0-BA82-7833E0F7A56E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "3B38EAA4-E948-45A7-B6E5-7214F2B545E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
              "matchCriteriaId": "DCEE5B21-C990-4705-8239-0D7B29DAEDA1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "65EE33B1-B079-4CDE-B9C2-F1613A4610DC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "5CAAA20B-824F-4448-99DC-9712FE628073",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "D2BEBDFB-0F30-454A-B74C-F820C9D2708B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
              "matchCriteriaId": "1D7CD8C1-95D1-477E-AD96-6582EC33BA01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B6F00D98-3D0F-40AF-AE4F-090B1E6B660C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "9476CE55-69C0-45D3-B723-6F459C90BF05",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
              "matchCriteriaId": "486F5BA6-BCF7-4691-9754-19D364B4438D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "112FC73B-A8BC-4EEA-9F4B-CCE685EF2838",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
              "matchCriteriaId": "E4498383-6FCA-4E17-A1FD-B0CE7EE50F85",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "D26565B1-2BA6-4A3C-9264-7FC9A1820B59",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage \"combinations of browser plugins and HTTP redirects,\" a related issue to CVE-2011-0696."
    },
    {
      "lang": "es",
      "value": "Ruby on Rails v2.1.x, v2.2.x, and v2.3.x anteriores a v2.3.11,y v3.x anteriores a v3.0.4 no valida correctamente las solicitudes HTTP que contienen una cabecera X-Requested-With, que le hace m\u00e1s f\u00e1cil para los atacantes remotos para llevar a cabo una vulnerabilidades de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en AJAX o peticiones API, que aprovechan \"combinaciones de complementos del navegador y redirecciones\" esta relacionado con CVE-2011-0696"
    }
  ],
  "id": "CVE-2011-0447",
  "lastModified": "2024-11-21T01:24:00.103",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2011-02-14T21:00:03.087",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://groups.google.com/group/rubyonrails-security/msg/c22ea1668c0d181c?dmode=source\u0026output=gplain"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/43274"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/43666"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.debian.org/security/2011/dsa-2247"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/bid/46291"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securitytracker.com/id?1025060"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.vupen.com/english/advisories/2011/0587"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.vupen.com/english/advisories/2011/0877"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://groups.google.com/group/rubyonrails-security/msg/c22ea1668c0d181c?dmode=source\u0026output=gplain"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/43274"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/43666"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2011/dsa-2247"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/46291"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id?1025060"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.vupen.com/english/advisories/2011/0587"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.vupen.com/english/advisories/2011/0877"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.