CSRF Vulnerability in jquery-ujs and jquery-rails There is an vulnerability in jquery-ujs and jquery-rails that can be used to bypass CSP protections and allows attackers to send CSRF tokens to attacker domains. This vulnerability has been assigned the CVE identifier CVE-2015-1840. Versions Affected: All. Not affected: Applications which don't use jquery-ujs or jquery-rails. Fixed Versions: jquery-rails versions 4.0.4 and 3.1.3 and jquery-ujs 1.0.4. Impact ------ In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to " https://attacker.com" (note the leading space) that will be passed to JQuery, who will see this as a same origin request, and send the user's CSRF token to the attacker domain. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- To work around this problem, change code that allows users to control the href attribute of an anchor tag or the action attribute of a form tag to filter the user parameters. For example, code like this: link_to params to code like this: link_to filtered_params def filtered_params # Filter just the parameters that you trust end Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the supported release series. They are in git-am format and consist of a single changeset. * 1-0-3-jquery_ujs_csrf.patch - Patch for jquery-ujs 1.0.3. * 3-1-2-jquery-rails-csrf.patch - Patch for jquery-rails 3.1.2. * 4-0-3-jquery-rails-csrf.patch - Patch for jquery-rails 4.0.3. Credits ------- Thanks to Ben Toews of GitHub for reporting the vulnerability to us, and working with us on a fix.
dev-ruby/jquery-rails-3.1.3 and dev-ruby/jquery-rails-4.0.4 are now in the gentoo tree. dev-ruby/jquery-rails:2 is not mentioned in the CVE but assumed to be vulnerable as well. It will be masked for removal along with dev-ruby/best_in_place-2.1.0 which still depends on it. We still have a pending version bump for best_in_place that should probably be done first.
I removed vulnerable versions for slot :3 and :4. Still waiting for :2
best_in_place-3.0.3 is now in the tree. Nothing in the tree depends on it, so I've removed the old version right away.
Security: Please ack, that no glsa is needed (no stable) and mark as resolved.