Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2016-3693: Remove `inspect` from allowed methods · theforeman/safemode@0f764a1

A flaw was found in the provisioning template handling in foreman. An attacker, with permissions to create templates, can cause internal Rails information to be displayed when it is processed, resulting in potentially sensitive information being disclosed.

CVE
#ruby

@@ -19,15 +19,15 @@ def test_sending_to_jail_to_an_object_should_return_a_jail end
def test_jail_instances_should_have_limited_methods expected = ["class", "inspect", "method_missing", "methods", "respond_to?", "respond_to_missing?", "to_jail", "to_s", “instance_variable_get”] expected = ["class", "method_missing", "methods", "respond_to?", "respond_to_missing?", "to_jail", "to_s", “instance_variable_get”] expected.delete(‘respond_to_missing?’) if RUBY_VERSION > ‘1.9.3’ # respond_to_missing? is private in rubies above 1.9.3 objects.each do |object| assert_equal expected.sort, reject_pretty_methods(object.to_jail.methods.map(&:to_s).sort) end end
def test_jail_classes_should_have_limited_methods expected = ["new", "methods", "name", "inherited", "method_added", "inspect", expected = ["new", "methods", "name", "inherited", "method_added", "allow", "allowed?", "allowed_methods", "init_allowed_methods", "<", # < needed in Rails Object#subclasses_of "ancestors", “==” # ancestors and == needed in Rails::Generator::Spec#lookup_class

Related news

CVE-2014-0208: Foreman :: Security

Cross-site scripting (XSS) vulnerability in the search auto-completion functionality in Foreman before 1.4.4 allows remote authenticated users to inject arbitrary web script or HTML via a crafted key name.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907