OSVDB-125699 (spree): Spree RABL templates rendering allows Arbitrary Code Execution and File Disclosure

July 28th, 2015

ADVISORIES

OSVDB-125699
Vendor Advisory

GEM

PATCHED VERSIONS

~> 2.2.13
~> 2.3.12
~> 2.4.9
>= 3.0.3

DESCRIPTION

Spree contains a flaw where the rendering of arbitrary RABL templates allows for execution arbitrary files on the host system, as well as disclosing the existence of files on the system. This is a different issue than OSVDB-125701.

OSVDB-125701
https://github.com/rubysec/bundler-audit/issues/106
https://security.snyk.io/vuln/SNYK-RUBY-SPREE-20237

RubySec

OSVDB-125699 (spree): Spree RABL templates rendering allows Arbitrary Code Execution and File Disclosure

ADVISORIES

GEM

PATCHED VERSIONS

DESCRIPTION

RELATED

Recent Advisories