Spree RABL templates rendering allows Arbitrary Code Execution and File Disclosure
Published: July 20, 2015
SECURITY IDENTIFIERS
- OSVDB: OSVDB-125701
- Vendor Advisory: https://web.archive.org/web/20160331140223/https://spreecommerce.com/blog/security-updates-2015-7-20
GEM
PATCHED VERSIONS
~> 2.2.12
~> 2.3.11
~> 2.4.8
>= 3.0.2
DESCRIPTION
Spree contains a flaw where the rendering of arbitrary RABL templates allows for execution arbitrary files on the host system, as well as disclosing the existence of files on the system.