Triage github security alerts
Updated by Lucas Di Pentima over 3 years ago
I believe we don't need to do anything at this time, because:
- CVE-2020-8164 (Possible Strong Parameters Bypass in ActionPack): I haven't found any occurrence of code using
- CVE-2020-8166 (Ability to forge per-form CSRF tokens in Rails): Is a low severity issue and no workarounds are offered, just to upgrade whenever possible.
- CVE-2020-8165 (Unintended unmarshalling in ActiveSupport): Is about MemCacheStore and RedisCacheStore, which we don't use.