Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: safemode
date: 2016-04-20
url: http://seclists.org/oss-sec/2016/q2/119
cve: 2016-3693
title: Safemode Gem for Ruby is vulnerable to information disclosure
description: |
  Safemode is initialised with an optional 'delegate' object.
  If the delegated object is a Rails controller, 'inspect' could
  be called which then exposes all informations about the App,
  including routes, secret tokens, caches and so on.
patched_versions:
- ">= 1.2.4"