stimulusreflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. In affected versions more methods than expected can be called on reflex instances. Being able to call some of them has security implications. To invoke a reflex a websocket message of the following shape is sent: \"target\":\"[class_name]#[method_name]\",\"args\":[]. The server will proceed to instantiate reflex using the provided class_name as long as it extends StimulusReflex::Reflex. It then attempts to call method_name on the instance with the provided arguments. This is problematic as reflex.method method_name can be more methods that those explicitly specified by the developer in their reflex class. A good example is the instancevariable_set method. This vulnerability has been patched in versions 3.4.2 and 3.5.0.rc4. Users unable to upgrade should: see the backing GHSA advisory for mitigation advice.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/28xxx/CVE-2024-28121.json",
"cwe_ids": [
"CWE-470"
],
"cna_assigner": "GitHub_M"
}{
"source": [
"CPE_RANGE",
"CPE_STRING",
"REFERENCES"
],
"cpe": [
"cpe:2.3:a:stimulusreflex:stimulusrelfex:*:*:*:*:*:*:*:*",
"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre1:*:*:*:*:*:*",
"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre10:*:*:*:*:*:*",
"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre2:*:*:*:*:*:*",
"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre3:*:*:*:*:*:*",
"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre4:*:*:*:*:*:*",
"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre5:*:*:*:*:*:*",
"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre6:*:*:*:*:*:*",
"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre7:*:*:*:*:*:*",
"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre8:*:*:*:*:*:*",
"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre9:*:*:*:*:*:*",
"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:rc1:*:*:*:*:*:*",
"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:rc2:*:*:*:*:*:*",
"cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:rc3:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "3.4.2"
},
{
"introduced": "3.5.0-pre1"
},
{
"last_affected": "3.5.0-pre1"
},
{
"introduced": "3.5.0-pre10"
},
{
"last_affected": "3.5.0-pre10"
},
{
"introduced": "3.5.0-pre2"
},
{
"last_affected": "3.5.0-pre2"
},
{
"introduced": "3.5.0-pre3"
},
{
"last_affected": "3.5.0-pre3"
},
{
"introduced": "3.5.0-pre4"
},
{
"last_affected": "3.5.0-pre4"
},
{
"introduced": "3.5.0-pre5"
},
{
"last_affected": "3.5.0-pre5"
},
{
"introduced": "3.5.0-pre6"
},
{
"last_affected": "3.5.0-pre6"
},
{
"introduced": "3.5.0-pre7"
},
{
"last_affected": "3.5.0-pre7"
},
{
"introduced": "3.5.0-pre8"
},
{
"last_affected": "3.5.0-pre8"
},
{
"introduced": "3.5.0-pre9"
},
{
"last_affected": "3.5.0-pre9"
},
{
"introduced": "3.5.0-rc1"
},
{
"last_affected": "3.5.0-rc1"
},
{
"introduced": "3.5.0-rc2"
},
{
"last_affected": "3.5.0-rc2"
},
{
"introduced": "3.5.0-rc3"
},
{
"last_affected": "3.5.0-rc3"
}
]
}