You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are running Rails LTS version 4.2.11.20 and Brakeman is reporting a CSRF vulnerability warning. While no CVE id is provided in the warning, the closest match I can find in known vulnerabilities for vanilla Rails is CVE-2020-8166, which RailsLTS says does not affect v4.2 of LTS or any of their other supported Rails versions.
Full warning from Brakeman: Confidence: Medium Category: Cross-Site Request Forgery Check: CSRFTokenForgeryCVE Message: Rails 4.2.11.20 has a vulnerability that may allow CSRF token forgery. Upgrade to Rails 5.2.4.3 or patch File: Gemfile.lock Line: 586
Relevant code:
Gemfile.lock
Line 586 contains this: rails (4.2.11.20)
Why might this be a false positive? CVE-2020-8166 is listed as not affecting RailsLTS v 4.2 and RailsLTS tell us they're unaware of any known vulnarabilities in RailsLTS v4.2.11.20.
Background
We are running Rails LTS version 4.2.11.20 and Brakeman is reporting a CSRF vulnerability warning. While no CVE id is provided in the warning, the closest match I can find in known vulnerabilities for vanilla Rails is CVE-2020-8166, which RailsLTS says does not affect v4.2 of LTS or any of their other supported Rails versions.
Brakeman version: 5.0.0
Rails version: 4.2.11.20 (RailsLTS)
Ruby version: 2.5.9
Link to Rails application code: N/A
False Positive
Full warning from Brakeman:
Confidence: Medium Category: Cross-Site Request Forgery Check: CSRFTokenForgeryCVE Message: Rails 4.2.11.20 has a vulnerability that may allow CSRF token forgery. Upgrade to Rails 5.2.4.3 or patch File: Gemfile.lock Line: 586
Relevant code:
Line 586 contains this:
rails (4.2.11.20)
Why might this be a false positive?
CVE-2020-8166 is listed as not affecting RailsLTS v 4.2 and RailsLTS tell us they're unaware of any known vulnarabilities in RailsLTS v4.2.11.20.
`CVE-2020-8166
Rails 2.3 LTS is not affected.
Rails 3.2 LTS is not affected.
Rails 4.2 LTS is not affected.`
https://makandracards.com/railslts/474590-list-of-cves-addressed-by-rails-lts
The text was updated successfully, but these errors were encountered: