oss-sec mailing list archives

CVE request: Arbitrary search execution in ruby gems auto_select2 <0.5.0 and auto_awesomeplete <=0.0.3

From: Reed Loden <reed () reedloden com>
Date: Sun, 10 Jan 2016 18:29:54 -0800

Another RubySec contributor noticed this --
https://github.com/rubysec/ruby-advisory-db/pull/227

The auto_select2 and auto_awesomeplete Gems for Ruby contain a flaw that is
triggered when handling the 'params[:default_class_name]' option. This
allows users to search any object of all given ActiveRecord classes.

auto_select2:
* Homepage: https://github.com/Loriowar/auto_select2
* Download: https://rubygems.org/gems/auto_select2
* Reported in: https://github.com/Loriowar/auto_select2/issues/4
* Fixed by: https://github.com/Loriowar/auto_select2/pull/7
* Fixed in: v0.5.0

auto_awesomeplete:
* Homepage: https://github.com/Tab10id/auto_awesomplete
* Download: https://rubygems.org/gems/auto_awesomeplete
* Reported in: https://github.com/Tab10id/auto_awesomplete/issues/2
* Still unfixed.

Needs a CVE assigned.

~reed

Current thread:

CVE request: Arbitrary search execution in ruby gems auto_select2 <0.5.0 and auto_awesomeplete <=0.0.3 Reed Loden (Jan 10)