CVE-2023-34102

Name of the Vulnerable Software and Affected Versions Avo versions (affected versions not specified)

Description The polymorphic field type in Avo stores classes to operate on when updating a record with user input and does not validate them in the back end. This can lead to unexpected behavior, remote code execution, or application crashes when viewing a manipulated record. The issue is related to the use of safe constantize / constantize in Rails, which can search for classes within the Rails context and return the class for further use. Avo assumes that the class specified by the user request is a valid one and attempts to work with it, which may result in dangerous behavior and code execution.

Recommendations To resolve the issue, Avo should be configured to never trust user-supplied input, especially when defining classes for records. Avo can evaluate the options list given for the polymorphic field and only allow strings from that list, using a white-list approach to prevent attackers from supplying unintended classes. As a temporary workaround, consider limiting access to untrusted users until a new release is made. At the moment, there is no information about a newer version that contains a fix for this vulnerability.