oss-sec mailing list archives
CVE request: Arbitrary search execution in ruby gems auto_select2 <0.5.0 and auto_awesomeplete <=0.0.3
From: Reed Loden <reed () reedloden com>
Date: Sun, 10 Jan 2016 18:29:54 -0800
Another RubySec contributor noticed this -- https://github.com/rubysec/ruby-advisory-db/pull/227 The auto_select2 and auto_awesomeplete Gems for Ruby contain a flaw that is triggered when handling the 'params[:default_class_name]' option. This allows users to search any object of all given ActiveRecord classes. auto_select2: * Homepage: https://github.com/Loriowar/auto_select2 * Download: https://rubygems.org/gems/auto_select2 * Reported in: https://github.com/Loriowar/auto_select2/issues/4 * Fixed by: https://github.com/Loriowar/auto_select2/pull/7 * Fixed in: v0.5.0 auto_awesomeplete: * Homepage: https://github.com/Tab10id/auto_awesomplete * Download: https://rubygems.org/gems/auto_awesomeplete * Reported in: https://github.com/Tab10id/auto_awesomplete/issues/2 * Still unfixed. Needs a CVE assigned. ~reed
Current thread:
- CVE request: Arbitrary search execution in ruby gems auto_select2 <0.5.0 and auto_awesomeplete <=0.0.3 Reed Loden (Jan 10)