ADVISORIES

• OSVDB-95668
• Vendor Advisory

GEM

builder

PATCHED VERSIONS

• >= 2.1.2

DESCRIPTION

Builder Gem for Ruby contains a flaw in the handling of tag names. The issue is triggered when the program reads tag names from XML data and then calls a method with that name. With a specially crafted file, a context-dependent attacker can call private methods and manipulate data.

RELATED

• https://my.diffend.io/gems/builder/2.1.1/2.1.2
• http://osvdb.org/show/osvdb/95668