Added CVE-2023-25015 for clockwork_web

rubysec · Feb 2, 2023 · 8207385 · 8207385
1 parent 04cb4e2
commit 8207385
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/gems/clockwork_web/CVE-2023-25015.yml b/gems/clockwork_web/CVE-2023-25015.yml
@@ -0,0 +1,14 @@
+---
+gem: clockwork_web
+cve: 2023-25015
+url: https://github.com/ankane/clockwork_web/issues/4
+title: CSRF Vulnerability with Rails < 5.2
+date: 2023-02-01
+description: |
+  Clockwork Web is vulnerable to cross-site request forgery (CSRF) with Rails < 5.2.
+
+  A CSRF attack works by getting an authorized user to visit a malicious website and
+  then performing requests on behalf of the user. In this instance, actions include
+  enabling and disabling jobs.
+patched_versions:
+- ">= 0.1.2"