// For flags

CVE-2024-28121

Reflex arbitrary method call in stimulus_reflex

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

stimulus_reflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. In affected versions more methods than expected can be called on reflex instances. Being able to call some of them has security implications. To invoke a reflex a websocket message of the following shape is sent: `\"target\":\"[class_name]#[method_name]\",\"args\":[]`. The server will proceed to instantiate `reflex` using the provided `class_name` as long as it extends `StimulusReflex::Reflex`. It then attempts to call `method_name` on the instance with the provided arguments. This is problematic as `reflex.method method_name` can be more methods that those explicitly specified by the developer in their reflex class. A good example is the instance_variable_set method. This vulnerability has been patched in versions 3.4.2 and 3.5.0.rc4. Users unable to upgrade should: see the backing GHSA advisory for mitigation advice.

stimulus_reflex es un sistema para ampliar las capacidades de Rails y Stimulus interceptando las interacciones del usuario y pasándolas a Rails a través de websockets en tiempo real. En las versiones afectadas se pueden invocar más métodos de los esperados en instancias reflejas. Poder llamar a algunos de ellos tiene implicaciones de seguridad. Para invocar un reflejo, se envía un mensaje websocket con la siguiente forma: `\"target\":\"[class_name]#[method_name]\",\"args\":[]`. El servidor procederá a crear una instancia de `reflex` utilizando el `class_name` proporcionado siempre que extienda `StimulusReflex::Reflex`. Luego intenta llamar a "method_name" en la instancia con los argumentos proporcionados. Esto es problemático ya que `reflex.method method_name` puede contener más métodos que los especificados explícitamente por el desarrollador en su clase refleja. Un buen ejemplo es el método instance_variable_set. Esta vulnerabilidad ha sido parcheada en las versiones 3.4.2 y 3.5.0.rc4. Los usuarios que no puedan actualizar deben: consultar el aviso de respaldo de GHSA para obtener consejos de mitigación.

StimulusReflex versions 3.5.0 up to and including 3.5.0.rc2 and 3.5.0.pre10 suffer from an arbitrary code execution vulnerability.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2024-03-04 CVE Reserved
  • 2024-03-12 CVE Published
  • 2024-03-14 EPSS Updated
  • 2024-08-15 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Stimulusreflex
Search vendor "Stimulusreflex"
 Stimulus Reflex
Search vendor "Stimulusreflex" for product "Stimulus Reflex"
 < 3.4.2
Search vendor "Stimulusreflex" for product "Stimulus Reflex" and version " < 3.4.2"
en
Affected