Spree RABL templates rendering allows Arbitrary Code Execution and File Disclosure
Published: July 28, 2015
SECURITY IDENTIFIERS
- OSVDB: OSVDB-125699
- Vendor Advisory: https://web.archive.org/web/20160331133641/spreecommerce.com/blog/security-updates-2015-7-28
GEM
PATCHED VERSIONS
~> 2.2.13
~> 2.3.12
~> 2.4.9
>= 3.0.3
DESCRIPTION
Spree contains a flaw where the rendering of arbitrary RABL templates allows for execution arbitrary files on the host system, as well as disclosing the existence of files on the system. This is a different issue than OSVDB-125701.