simple_form Gem for Ruby Incorrect Access Control for forms based on user input
Published: September 27, 2019
SECURITY IDENTIFIERS
- CVE: CVE-2019-16676 (NVD)
- GHSA: GHSA-r74q-gxcg-73hx
- Vendor Advisory: https://github.com/plataformatec/simple_form/security/advisories/GHSA-r74q-gxcg-73hx
GEM
SEVERITY
CVSS v3.x: 9.8 (Critical)
PATCHED VERSIONS
>= 5.0
DESCRIPTION
Simple Form before 5.0 has Incorrect Access Control in file_method? in lib/simple_form/form_builder.rb,
because a user-supplied string is invoked as a method call.
This only happens for pages that build forms based on user input.