RubySec

Providing security resources for the Ruby community

CVE-2016-3693 (safemode): Safemode Gem for Ruby is vulnerable to information disclosure

ADVISORIES

GEM

safemode

PATCHED VERSIONS

  • >= 1.2.4

DESCRIPTION

Safemode is initialised with an optional ‘delegate’ object. If the delegated object is a Rails controller, ‘inspect’ could be called which then exposes all informations about the App, including routes, secret tokens, caches and so on.