CVE-2024-28121
Reflex arbitrary method call in stimulus_reflex
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
stimulus_reflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. In affected versions more methods than expected can be called on reflex instances. Being able to call some of them has security implications. To invoke a reflex a websocket message of the following shape is sent: `\"target\":\"[class_name]#[method_name]\",\"args\":[]`. The server will proceed to instantiate `reflex` using the provided `class_name` as long as it extends `StimulusReflex::Reflex`. It then attempts to call `method_name` on the instance with the provided arguments. This is problematic as `reflex.method method_name` can be more methods that those explicitly specified by the developer in their reflex class. A good example is the instance_variable_set method. This vulnerability has been patched in versions 3.4.2 and 3.5.0.rc4. Users unable to upgrade should: see the backing GHSA advisory for mitigation advice.
stimulus_reflex es un sistema para ampliar las capacidades de Rails y Stimulus interceptando las interacciones del usuario y pasándolas a Rails a través de websockets en tiempo real. En las versiones afectadas se pueden invocar más métodos de los esperados en instancias reflejas. Poder llamar a algunos de ellos tiene implicaciones de seguridad. Para invocar un reflejo, se envía un mensaje websocket con la siguiente forma: `\"target\":\"[class_name]#[method_name]\",\"args\":[]`. El servidor procederá a crear una instancia de `reflex` utilizando el `class_name` proporcionado siempre que extienda `StimulusReflex::Reflex`. Luego intenta llamar a "method_name" en la instancia con los argumentos proporcionados. Esto es problemático ya que `reflex.method method_name` puede contener más métodos que los especificados explícitamente por el desarrollador en su clase refleja. Un buen ejemplo es el método instance_variable_set. Esta vulnerabilidad ha sido parcheada en las versiones 3.4.2 y 3.5.0.rc4. Los usuarios que no puedan actualizar deben: consultar el aviso de respaldo de GHSA para obtener consejos de mitigación.
StimulusReflex versions 3.5.0 up to and including 3.5.0.rc2 and 3.5.0.pre10 suffer from an arbitrary code execution vulnerability.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2024-03-04 CVE Reserved
- 2024-03-12 CVE Published
- 2024-03-14 EPSS Updated
- 2024-03-14 First Exploit
- 2025-02-13 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CAPEC
References (7)
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/177595 | 2024-03-14 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Stimulusreflex Search vendor "Stimulusreflex" | Stimulus Reflex Search vendor "Stimulusreflex" for product "Stimulus Reflex" | < 3.4.2 Search vendor "Stimulusreflex" for product "Stimulus Reflex" and version " < 3.4.2" | en |
Affected
| ||||||