CVE-2021-29435

Опубликовано: 13 апр. 2021

Источник: nvd

CVSS3: 8.1

CVSS3: 6.5

CVSS2: 4.3

EPSS Низкий

Описание

trestle-auth is an authentication plugin for the Trestle admin framework. A vulnerability in trestle-auth versions 0.4.0 and 0.4.1 allows an attacker to create a form that will bypass Rails' built-in CSRF protection when submitted by a victim with a trestle-auth admin session. This potentially allows an attacker to alter protected data, including admin account credentials. The vulnerability has been fixed in trestle-auth 0.4.2 released to RubyGems.

Ссылки

https://github.com/TrestleAdmin/trestle-auth/commit/cb95b05cdb2609052207af07b4b8dfe3a23c11dc
Patch
Third Party Advisory
https://github.com/TrestleAdmin/trestle-auth/security/advisories/GHSA-h8hx-2c5r-32cf
Third Party Advisory
https://rubygems.org/gems/trestle-auth
Product
Third Party Advisory
https://github.com/TrestleAdmin/trestle-auth/commit/cb95b05cdb2609052207af07b4b8dfe3a23c11dc
Patch
Third Party Advisory
https://github.com/TrestleAdmin/trestle-auth/security/advisories/GHSA-h8hx-2c5r-32cf
Third Party Advisory
https://rubygems.org/gems/trestle-auth
Product
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:trestle-auth_project:trestle-auth:0.4.0:*:*:*:*:ruby:*:*

cpe:2.3:a:trestle-auth_project:trestle-auth:0.4.1:*:*:*:*:ruby:*:*

EPSS

Процентиль: 35%

0.00144

Низкий

8.1 High

CVSS3

6.5 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-352

Связанные уязвимости

GHSA-h8hx-2c5r-32cf

CVSS3: 8.1

github

почти 5 лет назад

Cross-Site Request Forgery (CSRF) in trestle-auth

EPSS

Процентиль: 35%

0.00144

Низкий

8.1 High

CVSS3

6.5 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-352