CVE-2024-28121: StimulusReflex arbitrary method call
(updated )
More methods than expected can be called on reflex instances. Being able to call some of them has security implications.
References
- github.com/advisories/GHSA-f78j-4w3g-4q65
- github.com/rubysec/ruby-advisory-db/blob/master/gems/stimulus_reflex/CVE-2024-28121.yml
- github.com/stimulusreflex/stimulus_reflex
- github.com/stimulusreflex/stimulus_reflex/blob/0211cad7d60fe96838587f159d657e44cee51b9b/app/channels/stimulus_reflex/channel.rb
- github.com/stimulusreflex/stimulus_reflex/commit/538582d240439aab76066c72335ea92096cd0c7f
- github.com/stimulusreflex/stimulus_reflex/commit/d823d7348f9ca42eb6df25574f11974e4f5bc88c
- github.com/stimulusreflex/stimulus_reflex/releases/tag/v3.4.2
- github.com/stimulusreflex/stimulus_reflex/releases/tag/v3.5.0.rc4
- github.com/stimulusreflex/stimulus_reflex/security/advisories/GHSA-f78j-4w3g-4q65
- nvd.nist.gov/vuln/detail/CVE-2024-28121
Code Behaviors & Features
Detect and mitigate CVE-2024-28121 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →