Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CALPTtNXsEMS0HKL5Lk9tVUp+n=Lr58j30nQ8QcaKDAExSrtbJA@mail.gmail.com>
Date: Sun, 10 Jan 2016 18:29:54 -0800
From: Reed Loden <reed@...dloden.com>
To: oss-security@...ts.openwall.com, 
	Assign a CVE Identifier <cve-assign@...re.org>
Subject: CVE request: Arbitrary search execution in ruby gems auto_select2
 <0.5.0 and auto_awesomeplete <=0.0.3

Another RubySec contributor noticed this --
https://github.com/rubysec/ruby-advisory-db/pull/227

The auto_select2 and auto_awesomeplete Gems for Ruby contain a flaw that is
triggered when handling the 'params[:default_class_name]' option. This
allows users to search any object of all given ActiveRecord classes.

auto_select2:
* Homepage: https://github.com/Loriowar/auto_select2
* Download: https://rubygems.org/gems/auto_select2
* Reported in: https://github.com/Loriowar/auto_select2/issues/4
* Fixed by: https://github.com/Loriowar/auto_select2/pull/7
* Fixed in: v0.5.0

auto_awesomeplete:
* Homepage: https://github.com/Tab10id/auto_awesomplete
* Download: https://rubygems.org/gems/auto_awesomeplete
* Reported in: https://github.com/Tab10id/auto_awesomplete/issues/2
* Still unfixed.

Needs a CVE assigned.

~reed

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.