ADVISORIES

• OSVDB-132800
• Vendor Advisory

GEM

auto_select2

PATCHED VERSIONS

• >= 0.5.0

DESCRIPTION

auto_select2 Gem for Ruby contains a flaw that is triggered when handling the 'params[:default_class_name]' option. This allows users to search any object of all given ActiveRecord classes.

RELATED

• https://www.openwall.com/lists/oss-security/2016/01/11/2
• https://github.com/Loriowar/auto_select2/issues/4
• https://github.com/bkocherov/auto_select2/commit/c283ba5b2ad828c3b7414565ae66cd0d86f5a5df
• https://github.com/rubysec/ruby-advisory-db/issues/224
• https://github.com/rubysec/ruby-advisory-db/pull/227
• https://github.com/Tab10id/auto_awesomplete/issues/2