CVE-2023-34102

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-34102

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-34102.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-34102

Aliases

GHSA-86h2-2g4g-29qx

Published

2023-06-05T22:16:43Z

Modified

2025-10-22T18:38:12.911090Z

Severity

8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H CVSS Calculator

Summary

Possible unsafe reflection / partial denial of service in avo

Details

Avo is an open source ruby on rails admin panel creation framework. The polymorphic field type stores the classes to operate on when updating a record with user input, and does not validate them in the back end. This can lead to unexpected behavior, remote code execution, or application crashes when viewing a manipulated record. This issue has been addressed in commit ec117882d which is expected to be included in subsequent releases. Users are advised to limit access to untrusted users until a new release is made.

Database specific

{
    "cwe_ids": [
        "CWE-20"
    ]
}

References

Affected packages

Git / github.com/avo-hq/avo

Affected ranges

Type: GIT
Repo: https://github.com/avo-hq/avo
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ec117882ddb1b519481bdd046dc3cfa4474e6e17

Affected versions

v0.*

v0.1.1

v0.1.11

v0.1.13

v0.1.14

v0.1.15

v0.1.16

v0.1.19

v0.1.2

v0.1.20

v0.1.3

v0.1.4

v0.1.5

v0.1.6

v0.1.7

v0.1.8

v0.1.9

v0.2.0

v0.2.1

v0.2.2

v0.2.3

v0.2.4

v0.2.5

v0.3.0

v0.3.2

v0.4.0

v0.4.1

v0.4.10

v0.4.2

v0.4.3

v0.4.4

v0.4.5

v0.4.6

v0.4.7

v0.4.8

v0.4.9

v1.*

v1.0.0

v1.0.1

v1.0.3

v1.0.4

v1.0.5

v1.1.0

v1.1.0.pre.1

v1.10.0

v1.10.1

v1.10.2

v1.10.3

v1.11.1

v1.11.2

v1.11.3

v1.11.4

v1.11.5

v1.11.6

v1.12.0

v1.12.1

v1.12.2

v1.12.3

v1.12.4

v1.13.0

v1.13.1

v1.13.2

v1.13.3

v1.14.0

v1.15.0

v1.16.0

v1.16.1

v1.16.2

v1.16.3

v1.16.4

v1.17.0

v1.17.1

v1.18.0

v1.18.1

v1.18.2

v1.19.0

v1.2.0

v1.2.1

v1.2.10

v1.2.2

v1.2.3

v1.2.4

v1.2.5

v1.2.6

v1.2.7

v1.2.8

v1.2.9

v1.20.0

v1.20.1

v1.21.0

v1.22.0

v1.22.1

v1.22.2

v1.22.3

v1.22.4

v1.23.0

v1.24.0

v1.24.1

v1.24.2

v1.25.0

v1.3.0

v1.3.1

v1.3.3

v1.3.4

v1.3.5

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.6.0

v1.6.1

v1.7.0

v1.7.1

v1.7.2

v1.7.3

v1.8.0

v1.8.1

v1.8.2

v1.8.3

v1.8.4

v1.9.0

v1.9.1

v2.*

v2.0.0

v2.1.0

v2.1.1

v2.10.0

v2.10.1

v2.10.2

v2.11.0

v2.12.0

v2.13.0

v2.13.1

v2.14.0

v2.14.1

v2.14.2

v2.15.0

v2.15.1

v2.15.2

v2.15.3

v2.16.0

v2.17.0

v2.18.0

v2.19.0

v2.2.0

v2.2.1

v2.2.2

v2.20.0

v2.21.0

v2.22.0

v2.23.0

v2.23.1

v2.23.2

v2.24.0

v2.24.1

v2.25.0

v2.26.0

v2.27.0

v2.27.1

v2.28.0

v2.29.0

v2.29.1

v2.3.0

v2.30.0

v2.30.1

v2.30.2

v2.31.0

v2.32.0

v2.32.1

v2.32.2

v2.32.3

v2.32.4

v2.32.5

v2.32.6

v2.33.0

v2.33.1

v2.33.2

v2.4.0

v2.4.1

v2.5.0

v2.5.1

v2.6.0

v2.7.0

v2.8.0

v2.9.0