GHSA-mp76-7w5v-pr75

Опубликовано: 15 мар. 2024

Источник: github

Github: Прошло ревью

CVSS3: 8.1

Описание

TurboBoost Commands vulnerable to arbitrary method invocation

Impact

TurboBoost Commands has existing protections in place to guarantee that only public methods on Command classes can be invoked; however, the existing checks aren't as robust as they should be. It's possible for a sophisticated attacker to invoke more methods than should be permitted depending on the the strictness of authorization checks that individual applications enforce. Being able to call some of these methods can have security implications.

Details

Commands verify that the class must be a Command and that the method requested is defined as a public method; however, this isn't robust enough to guard against all unwanted code execution. The library should more strictly enforce which methods are considered safe before allowing them to be executed.

Patches

Patched in the following versions.

0.1.3
- NPM Package
- Ruby GEM
0.2.2
- NPM Package
- Ruby GEM

Workarounds

You can add this guard to mitigate the issue if running an unpatched version of the library.

class ApplicationCommand < TurboBoost::Commands::Command before_command do method_name = params[:name].include?("#") ? params[:name].split("#").last : :perform ancestors = self.class.ancestors[0..self.class.ancestors.index(TurboBoost::Commands::Command) - 1] allowed = ancestors.any? { |a| a.public_instance_methods(false).any? method_name.to_sym } throw :abort unless allowed # ← blocks invocation # raise "Invalid Command" unless allowed # ← blocks invocation end end

Ссылки

Пакеты

Наименование

turbo_boost-commands

rubygems

Затронутые версииВерсия исправления

< 0.1.3

0.1.3

Наименование

turbo_boost-commands

rubygems

Затронутые версииВерсия исправления

>= 0.2.0, < 0.2.2

0.2.2

Наименование

@turbo-boost/commands

npm

Затронутые версииВерсия исправления

< 0.1.3

0.1.3

Наименование

@turbo-boost/commands

npm

Затронутые версииВерсия исправления

>= 0.2.0, < 0.2.2

0.2.2

EPSS

Процентиль: 77%

0.01007

Низкий

8.1 High

CVSS3

CVE ID

CVE-2024-28181

Дефекты

CWE-74

Связанные уязвимости

CVE-2024-28181

CVSS3: 8.1

nvd

почти 2 года назад

turbo_boost-commands is a set of commands to help you build robust reactive applications with Rails & Hotwire. TurboBoost Commands has existing protections in place to guarantee that only public methods on Command classes can be invoked; however, the existing checks aren't as robust as they should be. It's possible for a sophisticated attacker to invoke more methods than should be permitted depending on the the strictness of authorization checks that individual applications enforce. Being able to call some of these methods can have security implications. Commands verify that the class must be a `Command` and that the method requested is defined as a public method; however, this isn't robust enough to guard against all unwanted code execution. The library should more strictly enforce which methods are considered safe before allowing them to be executed. This issue has been addressed in versions 0.1.3, and 0.2.2. Users are advised to upgrade. Users unable to upgrade should see the repos

EPSS

Процентиль: 77%

0.01007

Низкий

8.1 High

CVSS3

CVE ID

CVE-2024-28181

Дефекты

CWE-74