Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTV2eDUtOXE3My13Z3A0
Safemode Gem Has Incomplete List of Disallowed Inputs
rubygem-safemode, as used in Foreman, versions 1.3.1 and earlier are vulnerable to bypassing safe mode limitations via special Ruby syntax. This can lead to deletion of objects for which the user does not have delete permissions or possibly to privilege escalation.
Permalink: https://github.com/advisories/GHSA-5vx5-9q73-wgp4JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTV2eDUtOXE3My13Z3A0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 6 years ago
Updated: 8 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-5vx5-9q73-wgp4, CVE-2017-7540
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-7540
- https://github.com/svenfuchs/safemode/pull/23
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/safemode/CVE-2017-7540.yml
- https://github.com/advisories/GHSA-5vx5-9q73-wgp4
Blast Radius: 15.4
Affected Packages
rubygems:safemode
Dependent packages: 0Dependent repositories: 37
Downloads: 845,844 total
Affected Version Ranges: < 1.3.2
Fixed in: 1.3.2
All affected versions: 0.0.2, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.3.1
All unaffected versions: 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.4.0, 1.5.0