rubysec · reedloden · Aug 10, 2020 · Aug 4, 2020 · Aug 10, 2020
diff --git a/gems/pghero/CVE-2020-16253.yml b/gems/pghero/CVE-2020-16253.yml
@@ -0,0 +1,26 @@
+---
+gem: pghero
+cve: 2020-16253
+ghsa: v6fx-752r-ccp2
+url: https://github.com/ankane/pghero/issues/330
+title: CSRF Vulnerability with Non-Session Based Authentication
+date: 2020-08-04
+description: |
+  The PgHero dashboard is vulnerable to CSRF with non-session based authentication methods.
+
+  ## Impact
+  The PgHero dashboard is vulnerable to cross-site request forgery (CSRF). This affects the Docker
+  image, Linux packages, and in specific cases, the Ruby gem. The Ruby gem is vulnerable with
+  non-session based authentication methods like basic authentication - session-based authentication
+  methods (like Devise's default authentication) are not affected.
+
+  A CSRF attack works by getting an authorized user to visit a malicious website and then performing
+  requests on behalf of the user. In this instance, actions include:
+
+  1. Canceling running queries
+  2. Running `EXPLAIN` on queries (without seeing the results, but can be used for denial of service
+     and other attacks)
+  3. Resetting query stats (running `pg_stat_statements_reset()`)
+
+patched_versions:
+  - ">= 2.7.0"