Date: Sun, 10 Jan 2016 18:29:54 -0800 From: Reed Loden <reed@...dloden.com> To: oss-security@...ts.openwall.com, Assign a CVE Identifier <cve-assign@...re.org> Subject: CVE request: Arbitrary search execution in ruby gems auto_select2 <0.5.0 and auto_awesomeplete <=0.0.3 Another RubySec contributor noticed this -- https://github.com/rubysec/ruby-advisory-db/pull/227 The auto_select2 and auto_awesomeplete Gems for Ruby contain a flaw that is triggered when handling the 'params[:default_class_name]' option. This allows users to search any object of all given ActiveRecord classes. auto_select2: * Homepage: https://github.com/Loriowar/auto_select2 * Download: https://rubygems.org/gems/auto_select2 * Reported in: https://github.com/Loriowar/auto_select2/issues/4 * Fixed by: https://github.com/Loriowar/auto_select2/pull/7 * Fixed in: v0.5.0 auto_awesomeplete: * Homepage: https://github.com/Tab10id/auto_awesomplete * Download: https://rubygems.org/gems/auto_awesomeplete * Reported in: https://github.com/Tab10id/auto_awesomplete/issues/2 * Still unfixed. Needs a CVE assigned. ~reed
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ