CVE-2020-8166: Cross-Site Request Forgery (CSRF)

July 2, 2020 (updated November 20, 2020)

A CSRF forgery vulnerability exists in rails, rails that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.

References

groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw
hackerone.com/reports/732415
nvd.nist.gov/vuln/detail/CVE-2020-8166
www.debian.org/security/2020/dsa-4766

Detect and mitigate CVE-2020-8166 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →