Upstream information

CVE-2011-0447 at MITRE

Description

Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v2 Scores
	National Vulnerability Database
Base Score	6.8
Vector	AV:N/AC:M/Au:N/C:P/I:P/A:P
Access Vector	Network
Access Complexity	Medium
Authentication	None
Confidentiality Impact	Partial
Integrity Impact	Partial
Availability Impact	Partial

SUSE Bugzilla entry: 668817 [RESOLVED / FIXED]

SUSE Security Advisories:

SUSE-SU-2012:0434-1, published Fri Mar 30 11:08:17 MDT 2012

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Studio Onsite Runner 1.2	`rubygem-actionmailer-2_3 >= 2.3.14-0.7.4.3` `rubygem-actionpack-2_3 >= 2.3.14-0.7.4.3` `rubygem-activerecord-2_3 >= 2.3.14-0.7.4.3` `rubygem-activeresource-2_3 >= 2.3.14-0.7.4.3` `rubygem-activesupport-2_3 >= 2.3.14-0.7.4.3` `rubygem-rack >= 1.1.2-0.8.8.3` `rubygem-rails-2_3 >= 2.3.14-0.7.4.3`	Patchnames: slestso12-rubyonrails-2314-201202

SUSE Timeline for this CVE

CVE page created: Fri Jun 28 04:22:19 2013
CVE page last modified: Thu Dec 7 12:57:57 2023