High severityNVD Advisory· Published Jun 5, 2023· Updated Jan 8, 2025
Possible unsafe reflection / partial denial of service in avo
CVE-2023-34102
Description
Avo is an open source ruby on rails admin panel creation framework. The polymorphic field type stores the classes to operate on when updating a record with user input, and does not validate them in the back end. This can lead to unexpected behavior, remote code execution, or application crashes when viewing a manipulated record. This issue has been addressed in commit ec117882d which is expected to be included in subsequent releases. Users are advised to limit access to untrusted users until a new release is made.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
avoRubyGems | < 2.33.3 | 2.33.3 |
avoRubyGems | >= 3.0.0.pre1, <= 3.0.0.pre12 | — |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-86h2-2g4g-29qxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-34102ghsaADVISORY
- github.com/avo-hq/avo/commit/ec117882ddb1b519481bdd046dc3cfa4474e6e17ghsax_refsource_MISCWEB
- github.com/avo-hq/avo/releases/tag/v2.33.3ghsaWEB
- github.com/avo-hq/avo/security/advisories/GHSA-86h2-2g4g-29qxghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/avo/CVE-2023-34102.ymlghsaWEB
News mentions
0No linked articles in our index yet.