VYPR
High severityNVD Advisory· Published Jun 5, 2023· Updated Jan 8, 2025

Possible unsafe reflection / partial denial of service in avo

CVE-2023-34102

Description

Avo is an open source ruby on rails admin panel creation framework. The polymorphic field type stores the classes to operate on when updating a record with user input, and does not validate them in the back end. This can lead to unexpected behavior, remote code execution, or application crashes when viewing a manipulated record. This issue has been addressed in commit ec117882d which is expected to be included in subsequent releases. Users are advised to limit access to untrusted users until a new release is made.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
avoRubyGems
< 2.33.32.33.3
avoRubyGems
>= 3.0.0.pre1, <= 3.0.0.pre12

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.