CVE-2008-5189: Cross-Site Request Forgery (CSRF)

October 24, 2017 (updated September 14, 2021)

CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.

References

github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d
lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html
weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing
weblog.rubyonrails.org/2008/10/19/response-splitting-risk
www.securityfocus.com/bid/32359
github.com/advisories/GHSA-jmgf-p46x-982h
nvd.nist.gov/vuln/detail/CVE-2008-5189

Detect and mitigate CVE-2008-5189 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →