-
-
Notifications
You must be signed in to change notification settings - Fork 414
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix for CVE-2024-7106 - Cross-Site Request Forgery? #1381
Comments
No. The "bug" they submitted is only tested on the live demo website and is caused by the live demo not having any authentication or authorization. Which is of course purposefully disabled for demo purposes... This is not present in the Spina gem and has nothing to do with it. I've been unable to have this CVE removed. I have also never been contacted by the individual that published this CVE. It's a scam sadly. I'm planning on re-adding password authentication to our live demo site and releasing a new version of the Spina gem just to clear this up. |
Thank you for the rapid response, and the context missing from the official CVE pages. We use automated tooling to make sure we're addressing vulnerabilities (real or imagined!) so it is great to hear that there's a straightforward solution to this. Please could this issue stay open until the new version is released? |
Agreed! |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Please can this be re-opened until the CVE is resolved? |
This CVE does not apply to the Spina gem, it's garbage. I don't know how to prevent someone from submitting this. |
I totally agree with your earlier assessment, but you also proposed a simple workaround:
Many thanks! |
I deleted the live demo and opened a PR for v2.19: #1394 |
Hello
Is there a fix available (or planned) for CVE-2024-7106?
At the moment Bundler Audit is recommending we "remove or disable this gem until a patch is available", which isn't much of a long-term solution!
Many thanks
The text was updated successfully, but these errors were encountered: