Candidate: CVE-2011-0447
PublicDate: 2011-02-14 21:00:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0447
 http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
 http://groups.google.com/group/rubyonrails-security/msg/c22ea1668c0d181c
Description:
 Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4,
 does not properly validate HTTP requests that contain an X-Requested-With
 header, which makes it easier for remote attackers to conduct cross-site
 request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that
 leverage "combinations of browser plugins and HTTP redirects," a related
 issue to CVE-2011-0696.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_rails:
 upstream: https://github.com/rails/rails/commit/7e86f9b4d2b7dfa974c10ae7e6d8ef90f3d77f06
upstream_rails: released (2.3.11,3.0.4)
dapper_rails: ignored (reached end-of-life)
hardy_rails: ignored (reached end-of-life)
karmic_rails: ignored (reached end-of-life)
lucid_rails: released (2.2.3-2ubuntu0.1)
maverick_rails: released (2.3.5-1.1ubuntu0.1)
natty_rails: released (2.3.5-1.2ubuntu1.1)
devel_rails: not-affected (2.3.14.1)