Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
💎 RubyGems

GHSA-86h2-2g4g-29qx

HIGH

avo possible unsafe reflection / partial DoS vulnerability

Also known asCVE-2023-34102
Published
Jun 6, 2023
Updated
Jun 25, 2024
Affected
2 pkgs
Patched
1 / 2
Exploits
1 known

EPSS Exploitation Probability

via FIRST.org ↗
1.6%probability of exploitation in next 30 days
Lower Risk73th percentile-6.10%
0.00%3.68%7.36%11.0%7.7%1.6%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

2 pkgs affected
💎avo💎avo

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects RubyGems packages — download data is not available via public APIs for these ecosystems.

Description

Summary

The polymorphic field type stores the classes to operate on when updating a record with user input, and does not validate them in the back end. This can lead to unexpected behavior, remote code execution, or application crashes when viewing a manipulated record.

Details

After reviewing the polymorphic field implementation and performing some black box approaches, we identified a potential security issue related to the use of safe_constantize / constantize. This Rails functionality is capable of searching for classes within the Rails context and returning the class for further use. Because Avo does not validate user input when updating or creating a new polymorphic resource, it is possible to create database entries with completely different or invalid class names than the preselected ones. Avo assumes that the class specified by the user request is a valid one and attempts to work with it, which may result in dangerous behavior and code execution.

PoC

image In the test scenario we choose the demo app and the review resource which has a polymorphic reviewable field.

image Intercepting the request and switching the review[reviewable_type] from “Fish” to “File” which is a real class inside Rails

image Corrupting the database with unusable classes will cause a crash at the application while viewing the new record or the index view (partial DoS)

image Manual delete the corrupted resource in order to recover the applications functionality

image Of course it is possible to use other class names or namespaces. The local development environment displays the backend error message when visiting a corrupted record. Avo is trying to apply a scope to this class that does not exist.

image Specifying an invalid class name in the parameter will cause the application to crash again while trying constanize the provided string

Impact

The final exploitation of this vulnerability requires more time than is provided in this assessment, but initial testing of the post request shows the potential critical risk. The classes could be instantiated at any point in the code and this could also lead to code execution.

Recommendation

Avo should be configured to never trust user-supplied input, especially when defining classes for records. In this particular case, Avo can evaluate the options list given for the polymorphic field and only allow strings from that list. With this white-list approach, an attacker cannot supply unintended classes.

Affected Packages

2 total 1 fixed
EcosystemPackageVulnerable rangeFix
💎RubyGemsavoall versions2.33.3
💎RubyGemsavo3.0.0.pre1No fix
Exploits & PoCs
1

Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.

Avo is an open source ruby on rails admin panel creation framework. The …

github.comNVDJun 2023

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for avo. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update avo to 2.33.3 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-86h2-2g4g-29qx is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-86h2-2g4g-29qx is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-86h2-2g4g-29qx. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary The polymorphic field type stores the classes to operate on when updating a record with user input, and does not validate them in the back end. This can lead to unexpected behavior, remote code execution, or application crashes when viewing a manipulated record. ### Details After reviewing the polymorphic field implementation and performing some black box approaches, we identified a potential security issue related to the use of safe_constantize / constantize. This Rails functionality is capable of searching for classes within the Rails context and returning the class for further
O3 Security · Impact-Aware SCA

Is GHSA-86h2-2g4g-29qx in your dependencies?

O3 detects GHSA-86h2-2g4g-29qx across RubyGems dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works