Rubyonrails: >> Rails >> 6.0.3 Security Vulnerabilities
A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.
CVSS Score
4.3
EPSS Score
0.004
Published
2020-07-02
A denial of service vulnerability exists in Rails <6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production.
CVSS Score
6.5
EPSS Score
0.007
Published
2020-07-02
A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.
CVSS Score
9.8
EPSS Score
0.901
Published
2020-06-19
A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.
CVSS Score
6.5
EPSS Score
0.004
Published
2020-06-19
A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.
CVSS Score
7.5
EPSS Score
0.015
Published
2020-06-19
A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.
CVSS Score
7.5
EPSS Score
0.074
Published
2020-06-19
Page 3