{ "schema_version": "1.4.0", "id": "GHSA-h8hx-2c5r-32cf", "modified": "2021-04-13T17:01:38Z", "published": "2021-04-13T17:01:50Z", "aliases": [ "CVE-2021-29435" ], "summary": "Cross-Site Request Forgery (CSRF) in trestle-auth", "details": "### Impact\nA vulnerability in trestle-auth versions 0.4.0 and 0.4.1 allows an attacker to create a form that will bypass Rails' built-in CSRF protection when submitted by a victim with a trestle-auth admin session. This potentially allows an attacker to alter protected data, including admin account credentials.\n\n### Patches\nThe vulnerability has been fixed in trestle-auth 0.4.2 released to RubyGems.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [trestle-auth](https://github.com/TrestleAdmin/trestle-auth/issues)\n* Email the maintainer at [sam@sampohlenz.com](mailto:sam@sampohlenz.com)", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" } ], "affected": [ { "package": { "ecosystem": "RubyGems", "name": "trestle-auth" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.4.0" }, { "fixed": "0.4.2" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/TrestleAdmin/trestle-auth/security/advisories/GHSA-h8hx-2c5r-32cf" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29435" }, { "type": "WEB", "url": "https://github.com/TrestleAdmin/trestle-auth/commit/cb95b05cdb2609052207af07b4b8dfe3a23c11dc" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/trestle-auth/CVE-2021-29435.yml" }, { "type": "WEB", "url": "https://rubygems.org/gems/trestle-auth" } ], "database_specific": { "cwe_ids": [ "CWE-352" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-04-13T17:01:38Z", "nvd_published_at": "2021-04-13T20:15:00Z" } }