<p>Upgrade <code>turbo_boost-commands</code> to version 0.1.3, 0.2.2 or higher.</p>

Exposed Dangerous Method or Function Affecting turbo_boost-commands package, versions <0.1.3 >=0.2.0, <0.2.2

Snyk CVSS

Attack Complexity High

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS 0.04% (9^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-RUBY-TURBOBOOSTCOMMANDS-6447892
published 17 Mar 2024
disclosed 16 Mar 2024
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 16 Mar 2024

CVE-2024-28181 Open this link in a new tab CWE-749 Open this link in a new tab

How to fix?

Upgrade turbo_boost-commands to version 0.1.3, 0.2.2 or higher.

Overview

Affected versions of this package are vulnerable to Exposed Dangerous Method or Function due to insufficient validation of public methods on Command classes. An attacker can invoke more methods than should be allowed by exploiting the lack of robust checks on method permissions.

Workaround

This vulnerability can be mitigated by adding a guard to block invocation of unauthorized methods if running an unpatched version of the library.

class ApplicationCommand < TurboBoost::Commands::Command
  before_command do
    method_name = params[:name].include?("#") ? params[:name].split("#").last : :perform
    ancestors = self.class.ancestors[0..self.class.ancestors.index(TurboBoost::Commands::Command) - 1]
    allowed = ancestors.any? { |a| a.public_instance_methods(false).any? method_name.to_sym }
    throw :abort unless allowed # ← blocks invocation
    # raise "Invalid Command" unless allowed # ← blocks invocation
  end
end