ruby-jquery-rails4.2: CSRF Vulnerability in jquery-ujs and jquery-rails (CVE-2015-1840)
CSRF Vulnerability in jquery-ujs and jquery-rails
There is an vulnerability in jquery-ujs and jquery-rails that can be
used to
bypass CSP protections and allows attackers to send CSRF tokens to
attacker domains.
This vulnerability has been assigned the CVE identifier CVE-2015-1840.
Versions Affected: All.
Not affected: Applications which don’t use jquery-ujs or jquery-rails.
Fixed Versions: jquery-rails versions 4.0.4 and 3.1.3 and jquery-ujs
1.0.4.
Impact
———
In the scenario where an attacker might be able to control the href
attribute of an anchor tag or
the action attribute of a form tag that will trigger a POST action, the
attacker can set the
href or action to " https://attacker.com"; (note the leading space) that
will be passed to JQuery,
who will see this as a same origin request, and send the user’s CSRF
token to the attacker domain.
Reference:
http://seclists.org/oss-sec/2015/q2/730
(from redmine: issue id 4368, created on 2015-06-17, closed on 2015-07-16)
- Relations:
- child #4369 (closed)