GHSA-5vx5-9q73-wgp4

Source

https://github.com/advisories/GHSA-5vx5-9q73-wgp4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-5vx5-9q73-wgp4/GHSA-5vx5-9q73-wgp4.json

Aliases

CVE-2017-7540

Published

2017-10-24T18:33:35Z

Modified

2024-02-16T08:16:32.843034Z

Details

rubygem-safemode, as used in Foreman, versions 1.3.1 and earlier are vulnerable to bypassing safe mode limitations via special Ruby syntax. This can lead to deletion of objects for which the user does not have delete permissions or possibly to privilege escalation.

References

https://nvd.nist.gov/vuln/detail/CVE-2017-7540
https://github.com/svenfuchs/safemode/pull/23
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/safemode/CVE-2017-7540.yml
https://github.com/svenfuchs/safemode

Affected packages

RubyGems / safemode

Package

Name: safemode

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

1.3.2

Affected versions

0.*

0.0.2

1.*

1.0.0

1.0.1

1.0.2

1.1.0

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.3.1