CVE-2018-3777 – restforce

Package

Manager: gem
Name: restforce
Vulnerable Version: >=0 <3.0.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00363 pctl0.57621

Details

restforce vulnerable to Improper Input Validation A flaw in how restforce constructs URLs may allow an attacker to inject additional parameters into Salesforce API requests. Impact ------ This flaw is only exploitable in applications that pass user input directly to restforce's select, find, describe, update, upsert, and destroy methods. Vulnerable code might look like: ```ruby client.select('SomeSalesForceObject', params[:some-id], ...) ``` In such an application, attackers could pass `0016000000MRatd/describe` as a request parameter, causing the server to make a request to a different endpoint than the server is designed to handle. Since the Salesforce REST API supports overriding HTTP methods via a request parameter, an attacker could also cause the client's `select()` method to modify data, by passing `0016000000MRatd/?_HttpMethod=PATCH&other-query-params=...`. Workarounds ------ If possible, applications should track salesforce IDs internally, rather than passing user-supplied IDs to salesforce. Such practice mitigates this vulnerability, and in general is desirable for ensuring strong access control.

Metadata

Created: 2018-08-03T21:04:02Z
Modified: 2023-06-09T20:17:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-534w-937m-v7x3/GHSA-534w-937m-v7x3.json
CWE IDs: ["CWE-172", "CWE-20"]
Alternative ID: GHSA-534w-937m-v7x3
Finding: F184
Auto approve: 1