Skip to main content

Stimulusrelfex CVE-2024-28121

HIGH
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE-470)
2024-03-12 security-advisories@github.com
8.8
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (github) · only source for this CVE.

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Mar 12, 2024 - 20:15 cve.org
HIGH 8.8

DescriptionCVE.org

stimulus_reflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. In affected versions more methods than expected can be called on reflex instances. Being able to call some of them has security implications. To invoke a reflex a websocket message of the following shape is sent: \"target\":\"[class_name]#[method_name]\",\"args\":[]. The server will proceed to instantiate reflex using the provided class_name as long as it extends StimulusReflex::Reflex. It then attempts to call method_name on the instance with the provided arguments. This is problematic as reflex.method method_name can be more methods that those explicitly specified by the developer in their reflex class. A good example is the instance_variable_set method. This vulnerability has been patched in versions 3.4.2 and 3.5.0.rc4. Users unable to upgrade should: see the backing GHSA advisory for mitigation advice.

AnalysisAI

stimulus_reflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified under CWE-470. stimulus_reflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. In affected versions more methods than expected can be called on reflex instances. Being able to call some of them has security implications. To invoke a reflex a websocket message of the following shape is sent: \"target\":\"[class_name]#[method_name]\",\"args\":[]. The server will proceed to instantiate reflex using the provided class_name as long as it extends StimulusReflex::Reflex. It then attempts to call method_name on the instance with the provided arguments. This is problematic as reflex.method method_name can be more methods that those explicitly specified by the developer in their reflex class. A good example is the instance_variable_set method. This vulnerability has been patched in versions 3.4.2 and 3.5.0.rc4. Users unable to upgrade should: see the backing GHSA advisory for mitigation advice. Affected products include: Stimulusreflex Stimulusrelfex.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Share

CVE-2024-28121 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy