RubySec

Providing security resources for the Ruby community

OSVDB-125699 (spree): Spree RABL templates rendering allows Arbitrary Code Execution and File Disclosure

ADVISORIES

GEM

spree

PATCHED VERSIONS

  • ~> 2.2.13
  • ~> 2.3.12
  • ~> 2.4.9
  • >= 3.0.3

DESCRIPTION

Spree contains a flaw where the rendering of arbitrary RABL templates allows for execution arbitrary files on the host system, as well as disclosing the existence of files on the system. This is a different issue than OSVDB-125701.

RELATED