-
-
Notifications
You must be signed in to change notification settings - Fork 218
/
CVE-2020-16253.yml
26 lines (23 loc) · 1.08 KB
/
CVE-2020-16253.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
---
gem: pghero
cve: 2020-16253
ghsa: v6fx-752r-ccp2
url: https://github.com/ankane/pghero/issues/330
title: CSRF Vulnerability with Non-Session Based Authentication
date: 2020-08-04
description: |
The PgHero dashboard is vulnerable to CSRF with non-session based authentication methods.
## Impact
The PgHero dashboard is vulnerable to cross-site request forgery (CSRF). This affects the Docker
image, Linux packages, and in specific cases, the Ruby gem. The Ruby gem is vulnerable with
non-session based authentication methods like basic authentication - session-based authentication
methods (like Devise's default authentication) are not affected.
A CSRF attack works by getting an authorized user to visit a malicious website and then performing
requests on behalf of the user. In this instance, actions include:
1. Canceling running queries
2. Running `EXPLAIN` on queries (without seeing the results, but can be used for denial of service
and other attacks)
3. Resetting query stats (running `pg_stat_statements_reset()`)
cvss_v3: 8.1
patched_versions:
- ">= 2.7.0"