Cross-site Request Forgery (CSRF) Affecting better_errors package, versions <2.8.0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-BETTERERRORS-1583446
- published 8 Sep 2021
- disclosed 7 Sep 2021
- credit Unknown
Introduced: 7 Sep 2021
CVE-2021-39197 Open this link in a new tabHow to fix?
Upgrade better_errors to version 2.8.0 or higher.
Overview
better_errors is a package that provides a better error page for Rails and other Rack apps. Includes source code inspection, a live REPL and local/instance variable inspection for all stack frames.
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) better_errors did not implement CSRF protection for its internal requests. It also did not enforce the correct "Content-Type" header for these requests, which allowed a cross-origin "simple request" to be made without CORS protection. These together left an application with better_errors enabled open to cross-origin attacks.
As a developer tool, better_errors documentation strongly recommends addition only to the development bundle group, so this vulnerability should only affect development environments. Please ensure that your project limits better_errors to the development group (or the non-Rails equivalent).