ADVISORIES
GEM
SEVERITY
CVSS v3.x: 9.8 (Critical)
PATCHED VERSIONS
- ~> 2.0.13
- ~> 2.1.11
- ~> 2.2.5
- ~> 2.3.10
- ~> 2.4.11
- ~> 2.5.3
- ~> 2.6.3
- ~> 2.7.8
- ~> 2.8.2
- ~> 2.9.2
- ~> 2.10.4
- ~> 2.11.3
- >= 2.12.0
DESCRIPTION
If you are using the #find method on any of the classes that are derived from the Resource class and you are passing user input into that method, a malicious user can force the http client to reach out to a server under their control. This can lead to leakage of your private API key.
Because of the severity of impact, we are recommending that all users upgrade to a patched version. We have provided a non-breaking patch for every 2.X version of the client.