Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTV2eDUtOXE3My13Z3A0

Safemode Gem Has Incomplete List of Disallowed Inputs

rubygem-safemode, as used in Foreman, versions 1.3.1 and earlier are vulnerable to bypassing safe mode limitations via special Ruby syntax. This can lead to deletion of objects for which the user does not have delete permissions or possibly to privilege escalation.

Permalink: https://github.com/advisories/GHSA-5vx5-9q73-wgp4
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTV2eDUtOXE3My13Z3A0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 7 years ago
Updated: over 1 year ago


CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Percentage: 0.00205
EPSS Percentile: 0.58164

Identifiers: GHSA-5vx5-9q73-wgp4, CVE-2017-7540
References: Repository: https://github.com/svenfuchs/safemode
Blast Radius: 15.4

Affected Packages

rubygems:safemode
Dependent packages: 0
Dependent repositories: 37
Downloads: 867,973 total
Affected Version Ranges: < 1.3.2
Fixed in: 1.3.2
All affected versions: 0.0.2, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.3.1
All unaffected versions: 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.4.0, 1.5.0