High severity8.1NVD Advisory· Published May 20, 2016· Updated May 6, 2026
CVE-2016-3693
CVE-2016-3693
Description
The Safemode gem before 1.2.4 for Ruby, when initialized with a delegate object that is a Rails controller, allows context-dependent attackers to obtain sensitive information via the inspect method.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
safemodeRubyGems | < 1.2.4 | 1.2.4 |
Affected products
1Patches
282f9b93c54f7Fixes #14635 - bump safemode version to fix the unwanted inspect issue
1 file changed · +1 −1
Gemfile+1 −1 modified@@ -19,7 +19,7 @@ gem 'foreigner', '~> 1.4' gem 'validates_lengths_from_database', '~> 0.5' gem 'friendly_id', '~> 5.0' gem 'secure_headers', '~> 1.3' -gem 'safemode', '~> 1.2' +gem 'safemode', '~> 1.2', '>= 1.2.4' gem 'fast_gettext', '>= 0.8', '< 2.0' gem 'gettext_i18n_rails', '~> 1.0' gem 'rails-i18n', '~> 4.0.0'
0f764a1720a3Remove `inspect` from allowed methods
2 files changed · +4 −4
lib/safemode/blankslate.rb+2 −2 modified@@ -1,7 +1,7 @@ module Safemode class Blankslate - @@allow_instance_methods = ['class', 'inspect', 'methods', 'respond_to?', 'respond_to_missing?', 'to_s', 'instance_variable_get'] - @@allow_class_methods = ['methods', 'new', 'name', 'inspect', '<', 'ancestors', '=='] # < needed in Rails Object#subclasses_of + @@allow_instance_methods = ['class', 'methods', 'respond_to?', 'respond_to_missing?', 'to_s', 'instance_variable_get'] + @@allow_class_methods = ['methods', 'new', 'name', '<', 'ancestors', '=='] # < needed in Rails Object#subclasses_of silently { undef_methods(*instance_methods.map(&:to_s) - @@allow_instance_methods) } class << self
test/test_jail.rb+2 −2 modified@@ -19,15 +19,15 @@ def test_sending_to_jail_to_an_object_should_return_a_jail end def test_jail_instances_should_have_limited_methods - expected = ["class", "inspect", "method_missing", "methods", "respond_to?", "respond_to_missing?", "to_jail", "to_s", "instance_variable_get"] + expected = ["class", "method_missing", "methods", "respond_to?", "respond_to_missing?", "to_jail", "to_s", "instance_variable_get"] expected.delete('respond_to_missing?') if RUBY_VERSION > '1.9.3' # respond_to_missing? is private in rubies above 1.9.3 objects.each do |object| assert_equal expected.sort, reject_pretty_methods(object.to_jail.methods.map(&:to_s).sort) end end def test_jail_classes_should_have_limited_methods - expected = ["new", "methods", "name", "inherited", "method_added", "inspect", + expected = ["new", "methods", "name", "inherited", "method_added", "allow", "allowed?", "allowed_methods", "init_allowed_methods", "<", # < needed in Rails Object#subclasses_of "ancestors", "==" # ancestors and == needed in Rails::Generator::Spec#lookup_class
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- rubysec.com/advisories/CVE-2016-3693/nvdVendor Advisory
- github.com/advisories/GHSA-c92m-rrrc-q5wfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-3693ghsaADVISORY
- projects.theforeman.org/issues/14635nvdWEB
- rubysec.com/advisories/CVE-2016-3693ghsaWEB
- theforeman.org/security.htmlnvdWEB
- www.openwall.com/lists/oss-security/2016/04/20/8nvdWEB
- access.redhat.com/errata/RHSA-2018:0336nvdWEB
- github.com/svenfuchs/safemode/commit/0f764a1720a3a68fd2842e21377c8bfad6d7126fnvdWEB
- github.com/theforeman/foreman/commit/82f9b93c54f72c5814df6bab7fad057eab65b2f2nvdWEB
News mentions
0No linked articles in our index yet.