Ash
Monthly
Private argument injection in the Ash Elixir framework (versions 3.0.0 through 3.29.2) allows end users to set action arguments explicitly marked public?: false, which are designed to be controlled exclusively by trusted server-side code. The filtering logic in both the regular changeset path and the atomic changeset path fails to enforce the public? flag when input parameters arrive as string (binary) keys - the default format for user-supplied JSON or form data. An attacker who submits a string-keyed parameter matching a private argument name can inject an arbitrary value, potentially enabling privilege escalation or integrity violations if that argument drives authorization decisions such as acting_user_id or record ownership. No public exploit code has been identified and this vulnerability is not listed in CISA KEV.
An issue was discovered in the ash crate before 0.33.1 for Rust. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Private argument injection in the Ash Elixir framework (versions 3.0.0 through 3.29.2) allows end users to set action arguments explicitly marked public?: false, which are designed to be controlled exclusively by trusted server-side code. The filtering logic in both the regular changeset path and the atomic changeset path fails to enforce the public? flag when input parameters arrive as string (binary) keys - the default format for user-supplied JSON or form data. An attacker who submits a string-keyed parameter matching a private argument name can inject an arbitrary value, potentially enabling privilege escalation or integrity violations if that argument drives authorization decisions such as acting_user_id or record ownership. No public exploit code has been identified and this vulnerability is not listed in CISA KEV.
An issue was discovered in the ash crate before 0.33.1 for Rust. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.