Safemode Gem for Ruby is vulnerable to information disclosure
Published: April 20, 2016
SECURITY IDENTIFIERS
- CVE: CVE-2016-3693 (NVD)
- GHSA: GHSA-c92m-rrrc-q5wf
- Vendor Advisory: http://seclists.org/oss-sec/2016/q2/119
GEM
SEVERITY
CVSS v3.x: 8.1 (High)
PATCHED VERSIONS
>= 1.2.4
DESCRIPTION
Safemode is initialised with an optional 'delegate' object. If the delegated object is a Rails controller, 'inspect' could be called which then exposes all informations about the App, including routes, secret tokens, caches and so on.