FKIE_CVE-2024-28121

Vulnerability from fkie_nvd - Published: 2024-03-12 20:15 - Updated: 2025-12-03 17:13
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
stimulus_reflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. In affected versions more methods than expected can be called on reflex instances. Being able to call some of them has security implications. To invoke a reflex a websocket message of the following shape is sent: `\"target\":\"[class_name]#[method_name]\",\"args\":[]`. The server will proceed to instantiate `reflex` using the provided `class_name` as long as it extends `StimulusReflex::Reflex`. It then attempts to call `method_name` on the instance with the provided arguments. This is problematic as `reflex.method method_name` can be more methods that those explicitly specified by the developer in their reflex class. A good example is the instance_variable_set method. This vulnerability has been patched in versions 3.4.2 and 3.5.0.rc4. Users unable to upgrade should: see the backing GHSA advisory for mitigation advice.
References
security-advisories@github.comhttp://seclists.org/fulldisclosure/2024/Mar/16Exploit, Third Party Advisory
security-advisories@github.comhttps://github.com/stimulusreflex/stimulus_reflex/blob/0211cad7d60fe96838587f159d657e44cee51b9b/app/channels/stimulus_reflex/channel.rb#L83Technical Description
security-advisories@github.comhttps://github.com/stimulusreflex/stimulus_reflex/commit/538582d240439aab76066c72335ea92096cd0c7fPatch
security-advisories@github.comhttps://github.com/stimulusreflex/stimulus_reflex/releases/tag/v3.4.2Product, Release Notes
security-advisories@github.comhttps://github.com/stimulusreflex/stimulus_reflex/releases/tag/v3.5.0.rc4Product, Release Notes
security-advisories@github.comhttps://github.com/stimulusreflex/stimulus_reflex/security/advisories/GHSA-f78j-4w3g-4q65Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://seclists.org/fulldisclosure/2024/Mar/16Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/stimulusreflex/stimulus_reflex/blob/0211cad7d60fe96838587f159d657e44cee51b9b/app/channels/stimulus_reflex/channel.rb#L83Technical Description
af854a3a-2127-422b-91ae-364da2661108https://github.com/stimulusreflex/stimulus_reflex/commit/538582d240439aab76066c72335ea92096cd0c7fPatch
af854a3a-2127-422b-91ae-364da2661108https://github.com/stimulusreflex/stimulus_reflex/releases/tag/v3.4.2Product, Release Notes
af854a3a-2127-422b-91ae-364da2661108https://github.com/stimulusreflex/stimulus_reflex/releases/tag/v3.5.0.rc4Product, Release Notes
af854a3a-2127-422b-91ae-364da2661108https://github.com/stimulusreflex/stimulus_reflex/security/advisories/GHSA-f78j-4w3g-4q65Exploit, Vendor Advisory
Impacted products
Vendor Product Version
stimulusreflex stimulusrelfex *
stimulusreflex stimulusrelfex 3.5.0
stimulusreflex stimulusrelfex 3.5.0
stimulusreflex stimulusrelfex 3.5.0
stimulusreflex stimulusrelfex 3.5.0
stimulusreflex stimulusrelfex 3.5.0
stimulusreflex stimulusrelfex 3.5.0
stimulusreflex stimulusrelfex 3.5.0
stimulusreflex stimulusrelfex 3.5.0
stimulusreflex stimulusrelfex 3.5.0
stimulusreflex stimulusrelfex 3.5.0
stimulusreflex stimulusrelfex 3.5.0
stimulusreflex stimulusrelfex 3.5.0
stimulusreflex stimulusrelfex 3.5.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:stimulusreflex:stimulusrelfex:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D2AF2E16-66DC-4D13-9874-5A085F749360",
              "versionEndExcluding": "3.4.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre1:*:*:*:*:*:*",
              "matchCriteriaId": "43E5D805-62D2-4F50-A685-84085E31B857",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre10:*:*:*:*:*:*",
              "matchCriteriaId": "2C430B21-0D71-4B80-BBE1-CF1BBAF8190D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre2:*:*:*:*:*:*",
              "matchCriteriaId": "21D141A2-60A1-4F5C-955C-D40E70B3F12C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre3:*:*:*:*:*:*",
              "matchCriteriaId": "453438E7-1F0B-43A9-8D94-A7510B0094FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre4:*:*:*:*:*:*",
              "matchCriteriaId": "57412721-4013-4EB3-AA4B-FB76773A5534",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre5:*:*:*:*:*:*",
              "matchCriteriaId": "6BB95FE6-38EE-436B-93C7-A20967D9D03E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre6:*:*:*:*:*:*",
              "matchCriteriaId": "D2CC3F1D-547A-4A03-A7D1-71132744B0CA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre7:*:*:*:*:*:*",
              "matchCriteriaId": "70DA9FDB-843D-4D14-89F3-88DB9AF46CA7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre8:*:*:*:*:*:*",
              "matchCriteriaId": "67299098-B253-4678-9C40-F6980EDF0879",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:pre9:*:*:*:*:*:*",
              "matchCriteriaId": "FDB23841-1F34-44D2-B9DC-ED9736515754",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "D57C60F7-EBEC-4DDA-9649-2D4ABA117F09",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "604C86CB-59CF-4B84-A1D3-D0E982207FE6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:stimulusreflex:stimulusrelfex:3.5.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "A096C05D-53EA-4713-A0B4-6AF522CC36A2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "stimulus_reflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. In affected versions more methods than expected can be called on reflex instances. Being able to call some of them has security implications. To invoke a reflex a websocket message of the following shape is sent: `\\\"target\\\":\\\"[class_name]#[method_name]\\\",\\\"args\\\":[]`. The server will proceed to instantiate `reflex` using the provided `class_name` as long as it extends `StimulusReflex::Reflex`. It then attempts to call `method_name` on the instance with the provided arguments. This is problematic as `reflex.method method_name` can be more methods that those explicitly specified by the developer in their reflex class. A good example is the instance_variable_set method. This vulnerability has been patched in versions 3.4.2 and 3.5.0.rc4. Users unable to upgrade should: see the backing GHSA advisory for mitigation advice."
    },
    {
      "lang": "es",
      "value": "stimulus_reflex es un sistema para ampliar las capacidades de Rails y Stimulus interceptando las interacciones del usuario y pas\u00e1ndolas a Rails a trav\u00e9s de websockets en tiempo real. En las versiones afectadas se pueden invocar m\u00e1s m\u00e9todos de los esperados en instancias reflejas. Poder llamar a algunos de ellos tiene implicaciones de seguridad. Para invocar un reflejo, se env\u00eda un mensaje websocket con la siguiente forma: `\\\"target\\\":\\\"[class_name]#[method_name]\\\",\\\"args\\\":[]`. El servidor proceder\u00e1 a crear una instancia de `reflex` utilizando el `class_name` proporcionado siempre que extienda `StimulusReflex::Reflex`. Luego intenta llamar a \"method_name\" en la instancia con los argumentos proporcionados. Esto es problem\u00e1tico ya que `reflex.method method_name` puede contener m\u00e1s m\u00e9todos que los especificados expl\u00edcitamente por el desarrollador en su clase refleja. Un buen ejemplo es el m\u00e9todo instance_variable_set. Esta vulnerabilidad ha sido parcheada en las versiones 3.4.2 y 3.5.0.rc4. Los usuarios que no puedan actualizar deben: consultar el aviso de respaldo de GHSA para obtener consejos de mitigaci\u00f3n."
    }
  ],
  "id": "CVE-2024-28121",
  "lastModified": "2025-12-03T17:13:55.833",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-03-12T20:15:08.313",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2024/Mar/16"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Technical Description"
      ],
      "url": "https://github.com/stimulusreflex/stimulus_reflex/blob/0211cad7d60fe96838587f159d657e44cee51b9b/app/channels/stimulus_reflex/channel.rb#L83"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/stimulusreflex/stimulus_reflex/commit/538582d240439aab76066c72335ea92096cd0c7f"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/stimulusreflex/stimulus_reflex/releases/tag/v3.4.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/stimulusreflex/stimulus_reflex/releases/tag/v3.5.0.rc4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/stimulusreflex/stimulus_reflex/security/advisories/GHSA-f78j-4w3g-4q65"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2024/Mar/16"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Technical Description"
      ],
      "url": "https://github.com/stimulusreflex/stimulus_reflex/blob/0211cad7d60fe96838587f159d657e44cee51b9b/app/channels/stimulus_reflex/channel.rb#L83"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/stimulusreflex/stimulus_reflex/commit/538582d240439aab76066c72335ea92096cd0c7f"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/stimulusreflex/stimulus_reflex/releases/tag/v3.4.2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/stimulusreflex/stimulus_reflex/releases/tag/v3.5.0.rc4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/stimulusreflex/stimulus_reflex/security/advisories/GHSA-f78j-4w3g-4q65"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-470"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.