PT-2017-17791 · Ruby · Rubygem-Safemode

Published

2017-07-21

Updated

2019-10-09

CVE-2017-7540

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions rubygem-safemode versions 1.3.2 and earlier

Description The issue allows bypassing of safe mode limitations via special Ruby syntax, potentially leading to the deletion of objects for which the user does not have delete permissions or possibly to privilege escalation.

Recommendations For versions 1.3.2 and earlier, consider disabling the use of special Ruby syntax in safe mode until a patch is available. Restrict access to sensitive objects to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Incomplete List of Disallowed Inputs

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-184

Related Identifiers

CVE-2017-7540

GHSA-5VX5-9Q73-WGP4

GHSA-8474-RC7C-WRHP

Affected Products

Rubygem-Safemode

PT-2017-17791 · Ruby · Rubygem-Safemode

CVE-2017-7540

Weakness Enumeration

Related Identifiers

Affected Products

References · 8