漏洞标题
任意方法调用turbo_boost-commands
漏洞描述信息
turbo_boost-commands 是一组命令,旨在帮助您使用 Rails & Hotwire 构建强大且反应灵敏的应用程序。TurboBoost Commands 针对 Command 类的公共方法调用已存在保护措施;然而,现有的检查不如理想地严格。
一个高级攻击者有可能根据应用程序执行授权检查的严格程度,调用比应允更多的方法。为了防止所有意外代码执行,库应该更严格地确定在执行之前哪些方法被认为是安全的。
此问题已在版本 0.1.3 和 0.2.2 中得到解决。建议用户升级以解决问题。无法升级的用户应参阅仓库 GHSA 获取工作绕过建议。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
漏洞类别
授权机制不正确
漏洞标题
Arbitrary method invocation turbo_boost-commands
漏洞描述信息
turbo_boost-commands is a set of commands to help you build robust reactive applications with Rails & Hotwire. TurboBoost Commands has existing protections in place to guarantee that only public methods on Command classes can be invoked; however, the existing checks aren't as robust as they should be. It's possible for a sophisticated attacker to invoke more methods than should be permitted depending on the the strictness of authorization checks that individual applications enforce. Being able to call some of these methods can have security implications. Commands verify that the class must be a `Command` and that the method requested is defined as a public method; however, this isn't robust enough to guard against all unwanted code execution. The library should more strictly enforce which methods are considered safe before allowing them to be executed. This issue has been addressed in versions 0.1.3, and 0.2.2. Users are advised to upgrade. Users unable to upgrade should see the repository GHSA for workaround advice.
CVSS信息
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
漏洞类别
输出中的特殊元素转义处理不恰当(注入)
漏洞标题
TurboBoost Commands 注入漏洞
漏洞描述信息
TurboBoost Commands是一个反应式应用程序开发工具。 TurboBoost Commands 0.1.3 之前、 0.2.2之前版本存在注入漏洞,该漏洞源于现有的安全检查并不健全,无法防止所有的代码执行。
CVSS信息
N/A
漏洞类别
注入