Exposed Dangerous Method or Function Affecting turbo_boost-commands package, versions <0.1.3 >=0.2.0, <0.2.2
Threat Intelligence
EPSS
0.04% (11th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-TURBOBOOSTCOMMANDS-6447892
- published 17 Mar 2024
- disclosed 16 Mar 2024
- credit Unknown
Introduced: 16 Mar 2024
CVE-2024-28181 Open this link in a new tabHow to fix?
Upgrade turbo_boost-commands to version 0.1.3, 0.2.2 or higher.
Overview
Affected versions of this package are vulnerable to Exposed Dangerous Method or Function due to insufficient validation of public methods on Command classes. An attacker can invoke more methods than should be allowed by exploiting the lack of robust checks on method permissions.
Workaround
This vulnerability can be mitigated by adding a guard to block invocation of unauthorized methods if running an unpatched version of the library.
class ApplicationCommand < TurboBoost::Commands::Command
before_command do
method_name = params[:name].include?("#") ? params[:name].split("#").last : :perform
ancestors = self.class.ancestors[0..self.class.ancestors.index(TurboBoost::Commands::Command) - 1]
allowed = ancestors.any? { |a| a.public_instance_methods(false).any? method_name.to_sym }
throw :abort unless allowed # ← blocks invocation
# raise "Invalid Command" unless allowed # ← blocks invocation
end
end
References
CVSS Scores
version 3.1