Possible unsafe reflection / partial denial of service in avo
CVE-2023-34102

8.8HIGH

Key Information:

Vendor: avo-hq
Status: avo
Vendor: CVE Published:; 5 June 2023

What is CVE-2023-34102?

The Avo framework, a popular open source Ruby on Rails admin panel creation tool, contains a vulnerability linked to its polymorphic field type. This feature, intended for handling various class types during record updates, fails to adequately validate user inputs on the back end. As a result, this oversight can lead to unexpected behaviors such as application crashes or, more critically, remote code execution when an attacker manipulates the input of a record. A fix has been implemented in commit ec117882d, and users are urged to restrict access to their applications until the updated version is released.

Affected Version(s)

avo <= 2.33.2 <= 2.33.2

avo >= 3.0.0.pre1, <= 3.0.0.pre12 <= 3.0.0.pre1, 3.0.0.pre12

References

https://github.com/avo-hq/avo/security/advisories/GHSA-86...

x_refsource_CONFIRM

https://github.com/avo-hq/avo/commit/ec117882ddb1b519481b...

x_refsource_MISC

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 5, 2023
Vulnerability Reserved
May 25, 2023

CVE-2023-34102 Data

JSON