OSVDB-125701 (spree): Spree RABL templates rendering allows Arbitrary Code Execution and File Disclosure

July 20th, 2015

ADVISORIES

OSVDB-125701
Vendor Advisory

GEM

PATCHED VERSIONS

~> 2.2.12
~> 2.3.11
~> 2.4.8
>= 3.0.2

DESCRIPTION

Spree contains a flaw where the rendering of arbitrary RABL templates allows for execution arbitrary files on the host system, as well as disclosing the existence of files on the system.

https://web.archive.org/web/20160331140223/https://spreecommerce.com/blog/security-updates-2015-7-20
https://github.com/rubysec/bundler-audit/issues/106

RubySec

OSVDB-125701 (spree): Spree RABL templates rendering allows Arbitrary Code Execution and File Disclosure

ADVISORIES

GEM

PATCHED VERSIONS

DESCRIPTION

RELATED

Recent Advisories