Bug 1473243 (CVE-2017-7540) - CVE-2017-7540 rubygem-safemode: Bypassing the whitelist of safe commands via block_pass
Summary: CVE-2017-7540 rubygem-safemode: Bypassing the whitelist of safe commands via ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-7540
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1473795
Blocks: 1473244
TreeView+ depends on / blocked
 
Reported: 2017-07-20 09:56 UTC by Adam Mariš
Modified: 2021-10-21 11:55 UTC (History)
20 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2021-10-21 11:55:00 UTC
Embargoed:

Attachments (Terms of Use)

Description Adam Mariš 2017-07-20 09:56:14 UTC 
A vulnerability was found in rubygem-safemode, used e.g. in Foreman. It has been found that user rendering a template (e.g. with edit_templates permission) can bypass safe mode limitations through a special ruby syntax. This can lead e.g. to deletion of objects for which the user does not have delete permissions or possibly to privilege escalation.

Upstream bug:

https://github.com/svenfuchs/safemode/pull/23

Foreman bug:

http://projects.theforeman.org/issues/20271/
Comment 1 Adam Mariš 2017-07-20 09:56:34 UTC 
Acknowledgments:

Name: Tomer Brisker (Red Hat)
Comment 2 Siddharth Sharma 2017-07-20 10:22:13 UTC 
Analysis:

ruby193-rubygem-safemode shipped in Red Hat Ceph Storage 1.3 is in tech preview and would be used only when installing ceph with foreman installer. Installing ceph via ceph-deploy does not use ruby193-rubygem-safemode.
Note You need to log in before you can comment on or make changes to this bug.