CVE-2017-7540 – safemode

Package

Manager: gem
Name: safemode
Vulnerable Version: >=0 <1.3.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00289 pctl0.51957

Details

Safemode Gem Has Incomplete List of Disallowed Inputs rubygem-safemode, as used in Foreman, versions 1.3.1 and earlier are vulnerable to bypassing safe mode limitations via special Ruby syntax. This can lead to deletion of objects for which the user does not have delete permissions or possibly to privilege escalation.

Metadata

Created: 2017-10-24T18:33:35Z
Modified: 2023-09-05T21:30:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-5vx5-9q73-wgp4/GHSA-5vx5-9q73-wgp4.json
CWE IDs: ["CWE-184"]
Alternative ID: GHSA-5vx5-9q73-wgp4
Finding: F184
Auto approve: 1