Information disclosure in The Safemode gem for Ruby

#VU10736 Information disclosure in The Safemode gem for Ruby

Published: 2018-02-27 | Updated: 2018-03-19

Vulnerability identifier: #VU10736

Vulnerability risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-3693

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
The Safemode gem for Ruby
Client/Desktop applications / Software for system administration

Vendor: Ruby

Description
The vulnerability allows a remote attacker to obtain potentially sensitive information.

The weakness exists due to a provisioning template containing `inspect` when initialized with a delegate object that is a Rails controller. A remote context-dependent attacker can use the inspect method and access sensitive information.

Mitigation
Update to version 1.2.4.

Vulnerable software versions

The Safemode gem for Ruby: 1.0.0 - 1.2.3

External links
http://github.com/svenfuchs/safemode/commit/0f764a1720a3a68fd2842e21377c8bfad6d7126f

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Red Hat update for Satellite 6.3

Information disclosure in the Safemode gem for Ruby