CVE-2021-39197 : better_errors is an open source replacement for the standard Rails error page wi

better_errors is an open source replacement for the standard Rails error page with more information rich error pages. It is also usable outside of Rails in any Rack app as Rack middleware. better_errors prior to 2.8.0 did not implement CSRF protection for its internal requests. It also did not enforce the correct "Content-Type" header for these requests, which allowed a cross-origin "simple request" to be made without CORS protection. These together left an application with better_errors enabled open to cross-origin attacks. As a developer tool, better_errors documentation strongly recommends addition only to the `development` bundle group, so this vulnerability should only affect development environments. Please ensure that your project limits better_errors to the `development` group (or the non-Rails equivalent). Starting with release 2.8.x, CSRF protection is enforced. It is recommended that you upgrade to the latest release, or minimally to "~> 2.8.3". There are no known workarounds to mitigate the risk of using older releases of better_errors.

Published 2021-09-07 18:15:07

Updated 2021-09-14 18:34:34

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Cross-site request forgery (CSRF)

Products affected by CVE-2021-39197

Better Errors Project » Better Errors » For Ruby
Versions before (<) 2.8.0
cpe:2.3:a:better_errors_project:better_errors:*:*:*:*:*:ruby:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-39197

EPSS FAQ

0.21%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 41 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-39197

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
6.3	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N	1.8	4.0	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2021-39197

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2021-39197

https://github.com/BetterErrors/better_errors/commit/8e8e796bfbde4aa088741823c8a3fc6df2089bb0

Merge pull request #474 from BetterErrors/feature/add-csrf-to-requests · BetterErrors/better_errors@8e8e796 · GitHub
Patch;Third Party Advisory
https://github.com/BetterErrors/better_errors/discussions/507

Cross-Site Request Forgery vulnerability · Discussion #507 · BetterErrors/better_errors · GitHub
Third Party Advisory
https://github.com/BetterErrors/better_errors/security/advisories/GHSA-w3j4-76qw-wwjm

Vulnerable to Cross-Site Request Forgery in development · Advisory · BetterErrors/better_errors · GitHub
Third Party Advisory
https://github.com/BetterErrors/better_errors/pull/474

Add CSRF protection to internal requests by RobinDaugherty · Pull Request #474 · BetterErrors/better_errors · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2021-39197

Products affected by CVE-2021-39197

Exploit prediction scoring system (EPSS) score for CVE-2021-39197

CVSS scores for CVE-2021-39197

CWE ids for CVE-2021-39197

References for CVE-2021-39197