Date: Sun, 10 Jan 2016 18:29:54 -0800 From: Reed Loden <reed@...dloden.com> To: oss-security@...ts.openwall.com, Assign a CVE Identifier <cve-assign@...re.org> Subject: CVE request: Arbitrary search execution in ruby gems auto_select2 <0.5.0 and auto_awesomeplete <=0.0.3 Another RubySec contributor noticed this -- https://github.com/rubysec/ruby-advisory-db/pull/227 The auto_select2 and auto_awesomeplete Gems for Ruby contain a flaw that is triggered when handling the 'params[:default_class_name]' option. This allows users to search any object of all given ActiveRecord classes. auto_select2: * Homepage: https://github.com/Loriowar/auto_select2 * Download: https://rubygems.org/gems/auto_select2 * Reported in: https://github.com/Loriowar/auto_select2/issues/4 * Fixed by: https://github.com/Loriowar/auto_select2/pull/7 * Fixed in: v0.5.0 auto_awesomeplete: * Homepage: https://github.com/Tab10id/auto_awesomplete * Download: https://rubygems.org/gems/auto_awesomeplete * Reported in: https://github.com/Tab10id/auto_awesomplete/issues/2 * Still unfixed. Needs a CVE assigned. ~reed
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.