Main Vulnerability Database SB2016033002

SB2016033002 - Information disclosure in the Safemode gem for Ruby

Published: March 30, 2016 Updated: April 3, 2018

Security Bulletin ID SB2016033002

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2016-3693)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The weakness exists due to a provisioning template containing `inspect` when initialized with a delegate object that is a Rails controller. A remote context-dependent attacker can use the inspect method and access sensitive information.

Remediation

Install update from vendor's website.

References

https://github.com/svenfuchs/safemode/commit/0f764a1720a3a68fd2842e21377c8bfad6d7126f