U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2024-28181

Change History

New CVE Received by NIST 3/14/2024 2:15:07 PM

Action Type Old Value New Value
Added CVSS V3.1

								
							
							
						
GitHub, Inc. AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Added CWE

								
							
							
						
GitHub, Inc. CWE-74
Added Description

								
							
							
						
 turbo_boost-commands is a set of commands to help you build robust reactive applications with Rails & Hotwire. TurboBoost Commands has existing protections in place to guarantee that only public methods on Command classes can be invoked; however, the existing checks aren't as robust as they should be. It's possible for a sophisticated attacker to invoke more methods than should be permitted depending on the the strictness of authorization checks that individual applications enforce. Being able to call some of these methods can have security implications. Commands verify that the class must be a `Command` and that the method requested is defined as a public method; however, this isn't robust enough to guard against all unwanted code execution. The library should more strictly enforce which methods are considered safe before allowing them to be executed. This issue has been addressed in versions 0.1.3, and 0.2.2. Users are advised to upgrade. Users unable to upgrade should see the repository GHSA for workaround advice.
Added Reference

								
							
							
						
GitHub, Inc. https://github.com/hopsoft/turbo_boost-commands/commit/88af4fc0ac39cc1799d16c49fab52f6dfbcec9ba [No types assigned]
Added Reference

								
							
							
						
GitHub, Inc. https://github.com/hopsoft/turbo_boost-commands/security/advisories/GHSA-mp76-7w5v-pr75 [No types assigned]