gsd-2015-1840
Vulnerability from gsd
Modified
2015-06-16 00:00
Details
In the scenario where an attacker might be able to control the href attribute
of an anchor tag or the action attribute of a form tag that will trigger a
POST action, the attacker can set the href or action to
" https://attacker.com" (note the leading space) that will be passed to
JQuery, who will see this as a same origin request, and send the user's CSRF
token to the attacker domain.
To work around this problem, change code that allows users to control the
href attribute of an anchor tag or the action attribute of a form tag to
filter the user parameters.
For example, code like this:
link_to params
to code like this:
link_to filtered_params
def filtered_params
\# Filter just the parameters that you trust
end
See also:
- http://blog.honeybadger.io/understanding-the-rails-jquery-csrf-vulnerability-cve-2015-1840/
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2015-1840",
"description": "jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value.",
"id": "GSD-2015-1840",
"references": [
"https://www.suse.com/security/cve/CVE-2015-1840.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "jquery-rails",
"purl": "pkg:gem/jquery-rails"
}
}
],
"aliases": [
"CVE-2015-1840",
"GHSA-4whc-pp4x-9pf3"
],
"details": "In the scenario where an attacker might be able to control the href attribute\nof an anchor tag or the action attribute of a form tag that will trigger a\nPOST action, the attacker can set the href or action to\n\" https://attacker.com\" (note the leading space) that will be passed to\nJQuery, who will see this as a same origin request, and send the user\u0027s CSRF\ntoken to the attacker domain.\n\nTo work around this problem, change code that allows users to control the\nhref attribute of an anchor tag or the action attribute of a form tag to\nfilter the user parameters.\n\nFor example, code like this:\n\n link_to params\n\nto code like this:\n\n link_to filtered_params\n\n def filtered_params\n \\# Filter just the parameters that you trust\n end\n\nSee also:\n- http://blog.honeybadger.io/understanding-the-rails-jquery-csrf-vulnerability-cve-2015-1840/\n",
"id": "GSD-2015-1840",
"modified": "2015-06-16T00:00:00.000Z",
"published": "2015-06-16T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 5.0,
"type": "CVSS_V2"
}
],
"summary": "CSRF Vulnerability in jquery-rails"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-1840",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "FEDORA-2015-10144",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/161043.html"
},
{
"name": "openSUSE-SU-2015:1260",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2015-07/msg00041.html"
},
{
"name": "[oss-security] 20150616 [CVE-2015-1840] CSRF Vulnerability in jquery-ujs and jquery-rails",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2015/06/16/15"
},
{
"name": "FEDORA-2015-10258",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160906.html"
},
{
"name": "[rubyonrails-security] 20150616 [CVE-2015-1840] CSRF Vulnerability in jquery-ujs and jquery-rails",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/XIZPbobuwaY/fqnzzpuOlA4J"
},
{
"name": "75239",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/75239"
},
{
"name": "https://github.com/rails/jquery-ujs/blob/master/CHANGELOG.md",
"refsource": "CONFIRM",
"url": "https://github.com/rails/jquery-ujs/blob/master/CHANGELOG.md"
},
{
"name": "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md",
"refsource": "CONFIRM",
"url": "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2015-1840",
"cvss_v2": 5.0,
"date": "2015-06-16",
"description": "In the scenario where an attacker might be able to control the href attribute\nof an anchor tag or the action attribute of a form tag that will trigger a\nPOST action, the attacker can set the href or action to\n\" https://attacker.com\" (note the leading space) that will be passed to\nJQuery, who will see this as a same origin request, and send the user\u0027s CSRF\ntoken to the attacker domain.\n\nTo work around this problem, change code that allows users to control the\nhref attribute of an anchor tag or the action attribute of a form tag to\nfilter the user parameters.\n\nFor example, code like this:\n\n link_to params\n\nto code like this:\n\n link_to filtered_params\n\n def filtered_params\n \\# Filter just the parameters that you trust\n end\n\nSee also:\n- http://blog.honeybadger.io/understanding-the-rails-jquery-csrf-vulnerability-cve-2015-1840/\n",
"gem": "jquery-ujs",
"ghsa": "4whc-pp4x-9pf3",
"patched_versions": [
"\u003e= 1.0.4"
],
"title": "CSRF Vulnerability in jquery-ujs",
"url": "https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c3.1.3||\u003e=4.0.0a \u003c4.0.4",
"affected_versions": "All versions before 3.1.3, all versions starting from 4.0.0a before 4.0.4",
"credit": "Ben Toews of GitHub",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-200",
"CWE-937"
],
"date": "2018-10-30",
"description": "In the scenario where an attacker might be able to control the `href` attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the `href` or `action` to ` https://attacker.com` (note the leading space) that will be passed to JQuery, who will see this as a same origin request, and send the user\u0027s CSRF token to the attacker domain.",
"fixed_versions": [
"3.1.3",
"4.0.4"
],
"identifier": "CVE-2015-1840",
"identifiers": [
"CVE-2015-1840"
],
"package_slug": "gem/jquery-rails",
"pubdate": "2015-07-26",
"solution": "Upgrade to latest, apply patch or use workaround; see provided link.",
"title": "CSRF vulnerability",
"urls": [
"https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY"
],
"uuid": "1fbb8814-1e70-42ab-a3c2-b19fb3dfc5e8"
},
{
"affected_range": "\u003c1.0.4",
"affected_versions": "All versions before 1.0.4",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-200",
"CWE-352",
"CWE-937"
],
"date": "2021-09-01",
"description": "jquery_ujs.js in jquery-rails and rails.js in jquery-ujs, as used with Ruby on Rails, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value.",
"fixed_versions": [
"1.0.4"
],
"identifier": "CVE-2015-1840",
"identifiers": [
"GHSA-4whc-pp4x-9pf3",
"CVE-2015-1840"
],
"not_impacted": "All versions starting from 1.0.4",
"package_slug": "gem/jquery-ujs",
"pubdate": "2017-10-24",
"solution": "Upgrade to version 1.0.4 or above.",
"title": "Exposure of Sensitive Information to an Unauthorized Actor",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2015-1840",
"https://github.com/advisories/GHSA-4whc-pp4x-9pf3",
"https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md",
"https://github.com/rails/jquery-ujs/blob/master/CHANGELOG.md",
"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/XIZPbobuwaY/fqnzzpuOlA4J",
"http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160906.html",
"http://lists.fedoraproject.org/pipermail/package-announce/2015-June/161043.html",
"http://lists.opensuse.org/opensuse-updates/2015-07/msg00041.html",
"http://openwall.com/lists/oss-security/2015/06/16/15",
"http://www.securityfocus.com/bid/75239"
],
"uuid": "d2aee5c2-1058-4cfa-80bf-3c39413b1b2b"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:jquery-rails:4.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:jquery-rails:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.1.2",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:jquery-rails:4.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:jquery-ujs:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.0.3",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-1840"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rails/jquery-ujs/blob/master/CHANGELOG.md",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/rails/jquery-ujs/blob/master/CHANGELOG.md"
},
{
"name": "[rubyonrails-security] 20150616 [CVE-2015-1840] CSRF Vulnerability in jquery-ujs and jquery-rails",
"refsource": "MLIST",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/XIZPbobuwaY/fqnzzpuOlA4J"
},
{
"name": "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md"
},
{
"name": "[oss-security] 20150616 [CVE-2015-1840] CSRF Vulnerability in jquery-ujs and jquery-rails",
"refsource": "MLIST",
"tags": [],
"url": "http://openwall.com/lists/oss-security/2015/06/16/15"
},
{
"name": "openSUSE-SU-2015:1260",
"refsource": "SUSE",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-07/msg00041.html"
},
{
"name": "FEDORA-2015-10258",
"refsource": "FEDORA",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160906.html"
},
{
"name": "FEDORA-2015-10144",
"refsource": "FEDORA",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/161043.html"
},
{
"name": "75239",
"refsource": "BID",
"tags": [],
"url": "http://www.securityfocus.com/bid/75239"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2018-10-30T16:27Z",
"publishedDate": "2015-07-26T22:59Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…