CVE-2023-34102: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

June 5, 2023 (updated June 12, 2023)

Avo is an open source ruby on rails admin panel creation framework. The polymorphic field type stores the classes to operate on when updating a record with user input, and does not validate them in the back end. This can lead to unexpected behavior, remote code execution, or application crashes when viewing a manipulated record. This issue has been addressed in commit ec117882d which is expected to be included in subsequent releases. Users are advised to limit access to untrusted users until a new release is made.

References

github.com/avo-hq/avo/commit/ec117882ddb1b519481bdd046dc3cfa4474e6e17
github.com/avo-hq/avo/security/advisories/GHSA-86h2-2g4g-29qx
nvd.nist.gov/vuln/detail/CVE-2023-34102

Detect and mitigate CVE-2023-34102 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →