ADVISORIES

• OSVDB-110796
• Vendor Advisory

GEM

flavour_saver

PATCHED VERSIONS

• >= 0.3.3

DESCRIPTION

FlavourSaver contains a flaw in helper method dispatch where it uses Kernel::send to call helpers without checking that they are defined within the template context first. This allows expressions such as {{system "ls"}} or {{eval "puts 1 + 1"}} to be executed.

RELATED

• https://github.com/FlavourSaver/FlavourSaver/compare/v0.3.2...v0.3.3
• https://github.com/FlavourSaver/FlavourSaver/commit/04a8ff444a9a9668a75b01b20b4974d398087a64
• https://raw.githubusercontent.com/codesake/codesake-dawn/master/Roadmap.md
• https://github.com/slowmistio/dawnscanner-analysis-security-scanner-for-ruby-/blob/master/Roadmap.md
• https://security.snyk.io/vuln/SNYK-RUBY-FLAVOURSAVER-5457859
• http://osvdb.org/show/osvdb/110796