An issue was discovered in Spiceworks Help Desk Server before 1.3.3. A Blind Boolean SQL injection vulnerability within the order_by_for_ticket function in app/models/reporting/database_query.rb allows an authenticated attacker to execute arbitrary SQL commands via the sort parameter. This can be leveraged to leak local files from the host system, leading to remote code execution (RCE) through deserialization of malicious data.

Flashback time! This technical blog post looks at one of the early vulnerabilities uncovered by the Division 5 research program. The team undertook research into the Spiceworks Help Desk application. The following write-up is from the researcher on this vulnerability: Aidan Stansfield.

**About Spiceworks Help Desk Server**

This application comes in both an on-premises and cloud hosted package. Due to the Spiceworks terms of use, I performed my research upon the on-premises application, so that I was only attacking my own infrastructure and data.

The on-premises application is called Spiceworks Help Desk Server (HDS), and is packaged into an Open Virtual Appliance (OVA) file that can be run with various virtualisation technologies. The main purpose of the application is to facilitate IT support, allowing users to submit ‘tickets’ to the help desk such that an agent can look at the ticket and provide appropriate help to the user.

Exploring inside the OVA file, I located the Spiceworks HDS application and found it to be a Ruby on Rails application. This was great news as it simplified the vulnerability research process since the source code is provided and does not need to be decompiled.

**Identifying SQL Injection**

While performing source code review, I identified a SQL Injection vulnerability in:

The vulnerable function, order\_by\_for\_ticket can be found below (with some irrelevant code removed for the sake of brevity). The purpose of this function is to order a list of tickets based upon a specific column and direction (e.g., order the tickets by the date submitted).

Here we see that if the attacker can control the ‘order’ and ‘dir’ parameters to this function, then they can control the SQL that is passed to the ‘@scope.order’ function. This can be abused to perform Blind Boolean SQL injection.

**Path from Request to Vulnerable Function**

Before delving into the SQL injection, it’s important to first see where and how this function is called.

Checking for references to this function, we see it is called by the order\_by function as defined below:

The normalize\_order function takes an order object and normalizes it into the format \['sort', 'direction'\]. It does this by splitting the order objects on spaces or hyphens, which we will keep a note of for later. The order\_by function is called from within the index function of the /opt/tron/embedded/service/tron-rails/app/controllers/api/tickets\_controller.rb file, which defines the /api/tickets route. This function can be seen below:

To summarise, the SQL injection can be reached by requesting the /api/tickets endpoint with a sort query string parameter. This will call the order\_by function, which normalises the sort query string parameter to extract the column name and direction, before passing them over to the vulnerable order\_by\_for\_ticket function. This means that any agent or admin user is able to execute this SQL injection.

**Executing SQL Injection**

By adding some debug statements into the source code, it was possible to identify the underlying SQL query that is run. Requesting the /api/tickets?sort=order+direction+junk endpoint, we see the following SQL statement is made:

Note that ‘junk’ does not appear anywhere within the SQL statement. This is because the normalize\_order function splits the sort query string parameter based upon spaces or hyphens, and assigns the first two items to the order and direction respectively. Therefore, we cannot use spaces or hyphens in our payload. To get around this, we can replace spaces with SQL comments (e.g., /\*\*/). Requesting /api/tickets?sort=order/\*\*/direction/\*\*/junk results in the following SQL statement:

Notice that ‘junk’ now appears within the payload, and a default direction of ‘asc’ is assigned since our payload did not contain any spaces or hyphens. Since we only control the ORDER BY parameter, we cannot simply leak arbitrary database results directly into the page. However, as alluded to earlier, we can achieve Blind Boolean based injection to leak arbitrary data. Consider the following SQL statement:

When $condition is true, the select case statement will return 1, and so the results will be ordered by the 1st column. When $condition is false however, the select case statement will return 1/(SELECT 0), which will cause a division by zero error within the database and cause the application to return a 500 internal server error.

For example, setting the condition to 1=1 will return true, and a 200 response code:

Whereas setting the condition to 1=2 will return false, and a 500 response code:

**Escalating to RCE**

Since the database user possesses ‘super’ privileges, this SQL injection can be used to read arbitrary local files with the pg\_read\_file PostgreSQL command. A particular file of interest is the environment configuration file, which details all of the environment variables and secrets used by the Rails application. This file can be found at the following location: /var/opt/tron/etc/env.

Included in this configuration is the secret\_key\_base, which is a secret used to sign all serialized cookies. Once the secret\_key\_base is leaked from the environment configuration, an attacker can send specially crafted requests and gain remote code execution through deserialization of signed malicious data.

The ability to force a Rails application to deserialize arbitrary code after the disclosure of the secret\_key\_base is considered part of the intended internal functionalities of Rails applications and is not a separate vulnerability within the Spiceworks codebase. For technical discussion of this technique and why it is considered an intended internal functionality, see the below disclosure:

*   https://hackerone.com/reports/473888
    

Extending upon the information provided within that report, the following payload can be used to send a reverse shell to back to an attacker once the secret\_base\_key is known.

**The Fix**

The order\_by\_for\_ticket function has been patched in Spiceworks HDS version 1.3.3 by enforcing the ‘order’ and ‘dir’ parameters to be one of various set options, as can be seen below:

**Summary**

CVE-2021-43609 allows an authorised remote attacker to exploit a Blind Boolean SQL injection to read arbitrary data and files, leading to RCE through deserialization techniques inherent to Ruby on Rails. Spiceworks HDS versions < 1.3.3 are vulnerable. A proof of concept (POC) exploit can be found at CVE-2021-43609-POC. An example of the entire exploit chain can be found below:

Disclosure Timeline

*   02/09/2021 - Vulnerability identified
    
*   08/09/2021 - Initial reach out to Spiceworks Ziff Davis
    
*   23/09/2021 - Spiceworks Ziff Davis first response
    
*   23/09/2021 - Vulnerability is reported
    
*   30/10/2021 - Spiceworks Ziff Davis advises the vulnerability has been remediated
    
*   13/11/2021 - CVE-2021-43609 is assigned

CVE-2021-43609: CVE-2021-43609 Write-up

A memory leak flaw was found in ruby-magick, an interface between Ruby and ImageMagick. This issue can lead to a denial of service (DOS) by memory exhaustion.

**memory leak flaw was found in ruby-magick**

Moderate severity GitHub Reviewed Published Oct 30, 2023 to the GitHub Advisory Database • Updated Oct 31, 2023

GHSA-frgf-8jr5-j2jv: memory leak flaw was found in ruby-magick

'2247064?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-5349: Invalid Bug ID

Gentoo Linux Security Advisory 202310-18 - Multiple vulnerabilities have been discovered in Rack, the worst of which can lead to sequence injection in logging components. Versions greater than or equal to 2.2.3.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-18  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Rack: Multiple Vulnerabilities  
     Date: October 30, 2023  
     Bugs: #884795  
       ID: 202310-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Rack, the worst of  
which can lead to sequence injection in logging compontents.

Background  
==========

Rack is a modular Ruby web server interface.

Affected packages  
=================

Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
dev-ruby/rack  < 2.2.3.1     >= 2.2.3.1

Description  
===========

Multiple vulnerabilities have been discovered in Rack. Please review the  
CVE identifiers referenced below for details.

Impact  
======

A possible denial of service vulnerability was found in the multipart  
parsing component of Rack.

A sequence injection vulnerability was found which could allow a  
possible shell escape in the Lint and CommonLogger components of Rack.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Rack users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-ruby/rack-2.2.3.1"

References  
==========

[ 1 ] CVE-2022-30122  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30122  
[ 2 ] CVE-2022-30123  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30123

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-18

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202310-18

Incorrect Permission Assignment for Critical Resource in GitHub Enterprise Server that allowed local operating system user accounts to read MySQL connection details including the MySQL password via configuration files. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in versions 3.7.18, 3.8.11, 3.9.6, and 3.10.3.


CVE-2023-23767: Release notes - GitHub Enterprise Server 3.9 Docs

Debian Linux Security Advisory 5530-1 - Several vulnerabilities were discovered in ruby-rack, a modular Ruby webserver interface, which may result in denial of service and shell escape sequence injection.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5530-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoOctober 22, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : ruby-rackCVE ID         : CVE-2022-30122 CVE-2022-30123 CVE-2022-44570 CVE-2022-44571                 CVE-2022-44572 CVE-2023-27530 CVE-2023-27539Debian Bug     : 1029832 1032803 1033264Several vulnerabilities were discovered in ruby-rack, a modular Rubywebserver interface, which may result in denial of service and shellescape sequence injection.For the oldstable distribution (bullseye), these problems have been fixedin version 2.1.4-3+deb11u1.We recommend that you upgrade your ruby-rack packages.For the detailed security status of ruby-rack please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/ruby-rackFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmU1FpxfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0SAig/+MS3miFMErKy2l1DjwlzjchJC0cyfMHdVn1mpWZMd3iRVuKqqhRt/GlLSXYFRaU6loJ69WqZGLdnDJtKiOUkJPip5BIL2EZccYdg7nDkvvXs6ATffnC11B/SnJ0N7YAYubtyE/924H+mLh+rpx5sMkmGWHKGssQzP1e2erpBl3FRIQcWm/E1PkvZY3VmRbSluAxb3nQ6+bm+5RDNZOzPtkFQkEuGFV4BNFYqh0JWO2lKLkdG6r8+SaeBGKq5i+WtuHxYEVLB1Go6mvyymh8vDq6Mfimfas9B9SYDKjdiU3VOLoiaXEkjepdQFzSm1QVyk9aYJ6Qb5yy8hrr8XPfVuqlumF+ACpsAK1wH+WtKdiQkdZsvFpcYKn5g4q3zMa8RSoDAEnnc9AmGGdDOT/5sdosby1XAlrO7EoVGuhzKR7i1CtAdmnvABwf1dVqv3Jrn6pg+1c278vFc/n/fyXaHiPolRhr4xSxaNiT0OQ/f+ZUJg5NAT8WIS355kefSzAWVpOYB4kMM3OcWWwohkYWf6WuUoZZsIKvdE8dnAhV6NYaChrS6wA3fiLoQu0U9m+4jdB0IDLy+uffIzYCfeFepyq/Gg8e6TIx/T8Rf1uX8VFAvqiBXc3oIlGQMfaulmQel8mGBXceLIMU+Ze0kRmMf3j5JLWotnKRFNDHAW11U2OWU==tPF2-----END PGP SIGNATURE-----

Debian Security Advisory 5530-1

Red Hat Security Advisory 2023-5980-01 - Updated Satellite 6.11 packages that fix several bugs are now available for Red Hat Satellite. Issues addressed include code execution and denial of service vulnerabilities.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5980.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Satellite 6.11.5.6 async security update  
Advisory ID:        RHSA-2023:5980-01  
Product:            Red Hat Satellite 6  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:5980  
Issue date:         2023-10-20  
Revision:           01  
CVE Names:          CVE-2022-1292  
====================================================================

Summary: 

Updated Satellite 6.11 packages that fix several bugs are now available for Red Hat Satellite.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.

Security fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset) (CVE-2023-39325)

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset) (CVE-2023-44487)

A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaws is available in the References section.

* ruby-git: code injection vulnerability (CVE-2022-46648)

* ruby-git: code injection vulnerability (CVE-2022-47318)

* Foreman: Arbitrary code execution through templates (CVE-2023-0118)

* Satellite/Foreman: Arbitrary code execution through yaml global parameters (CVE-2023-0462)

* openssl: c_rehash script allows command injection (CVE-2022-1292)

* openssl: the c_rehash script allows command injection (CVE-2022-2068)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This update fixes the following bugs:

2159417 - CVE-2023-0118 foreman: Arbitrary code execution through templates [rhn_satellite_6.11]  
2163523 - CVE-2023-0462 foreman: Satellite/Foreman: Arbitrary code execution through yaml global parameters [rhn_satellite_6.11]  
2242355 - CVE-2022-1292 CVE-2022-2068 puppet-agent for Satellite and Capsule: various flaws [rhn_satellite_6.11]  
2242360 - CVE-2022-47318 tfm-rubygem-git: ruby-git: code injection vulnerability [rhn_satellite_6.11]  
2242364 - CVE-2022-46648 rubygem-git: ruby-git: code injection vulnerability [rhn_satellite_6.11]  
2243832 - [Major Incident] CVE-2023-39325 CVE-2023-44487 yggdrasil-worker-forwarder: various flaws [rhn_satellite_6.11] 

Users of Red Hat Satellite are advised to upgrade to these updated packages,  
which fix these bugs.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-1292

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.11/html-single/upgrading_and_updating_red_hat_satellite/index#updating_satellite

Red Hat Security Advisory 2023-5980-01

Red Hat Security Advisory 2023-5979-01 - Updated Satellite 6.12 packages that fixes important security bugs and several regular bugs are now available for Red Hat Satellite. Issues addressed include a code execution vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5979.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Satellite 6.12.5.2 Async Security Update  
Advisory ID:        RHSA-2023:5979-01  
Product:            Red Hat Satellite 6  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:5979  
Issue date:         2023-10-20  
Revision:           01  
CVE Names:          CVE-2022-1292  
====================================================================

Summary: 

Updated Satellite 6.12 packages that fixes important security bugs and several  
regular bugs are now available for Red Hat Satellite.

Description:

Red Hat Satellite is a system management solution that allows organizations to  
configure and maintain their systems without the necessity to provide public  
Internet access to their servers or other client systems. It performs  
provisioning and configuration management of predefined standard operating  
environments.

Security fix(es):

foreman: Arbitrary code execution through templates

foreman: Satellite/Foreman: Arbitrary code execution through yaml global parameters

foreman: OS command injection via ct_command and fcct_command

puppet-agent for Satellite and Capsule: various flaws

tfm-rubygem-git: ruby-git: code injection vulnerability

rubygem-git: ruby-git: code injection vulnerability

yggdrasil-worker-forwarder: various flaws

This update fixes the following bugs:

2159656 - CVE-2023-0118 foreman: Arbitrary code execution through templates [rhn_satellite_6.12]  
2163524 - CVE-2023-0462 foreman: Satellite/Foreman: Arbitrary code execution through yaml global parameters [rhn_satellite_6.12]  
2163694 - CVE-2022-3874 foreman: OS command injection via ct_command and fcct_command [rhn_satellite_6.12]  
2242354 - CVE-2022-1292 CVE-2022-2068 puppet-agent for Satellite and Capsule: various flaws [rhn_satellite_6.12]  
2242359 - CVE-2022-47318 tfm-rubygem-git: ruby-git: code injection vulnerability [rhn_satellite_6.12]  
2242362 - CVE-2022-46648 rubygem-git: ruby-git: code injection vulnerability [rhn_satellite_6.12]  
2243833 - [Major Incident] CVE-2023-39325 CVE-2023-44487 yggdrasil-worker-forwarder: various flaws [rhn_satellite_6.12]

Users of Red Hat Satellite are advised to upgrade to these updated packages,  
which fix these bugs.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-1292

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.12/html/upgrading_and_updating_red_hat_satellite/index  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-5979-01

Red Hat Security Advisory 2023-5931-01 - Updated Satellite 6.13 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite. Issues addressed include code execution and denial of service vulnerabilities.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5931.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Satellite 6.13.5 Async Security Update  
Advisory ID:        RHSA-2023:5931-01  
Product:            Red Hat Satellite 6  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:5931  
Issue date:         2023-10-19  
Revision:           01  
CVE Names:          CVE-2022-1292  
====================================================================

Summary: 

Updated Satellite 6.13 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.

Security fix(es):

* Yggdrasil-worker-forwarder (gRPC): Rapid Reset Attack through HTTP/2 enabled web service which leads to DDoS attack (CVE-2023-44487 & CVE-2023-39325)

A Red Hat Security Bulletin which addresses further details about this flaw is available in the References section.

* Foreman: OS command injection via ct_command and fcct_command (CVE-2022-3874)

* Foreman: Arbitrary code execution through yaml global parameters (CVE-2023-0462)

* GitPython: Remote code execution and improper input validation vulnerability (CVE-2022-24439 & CVE-2023-40267)

* Ruby-git & tfm-rubygem-git: Code injection vulnerability (CVE-2022-47318 & CVE-2022-46648)

* Python-django: Multiple flaws (CVE-2023-31047 & CVE-2023-36053)

* Puppet-agent (openssl): Multiple flaws (CVE-2022-1292 CVE-2022-2068)

This update fixes the following bugs:

2238346 - Red Hat supported provisioning templates are not recognized by RH icon on the row for a given template  
2238348 - when creating a backup on rhel7 and restoring on rhel8, the restore process will fail with permission issues  
2238350 - Virtual machine goes in re-provisioning mode while registration host using Global registration template.  
2238359 - Capsule redundantly synces *-Export-Library repos  
2238361 - Can't update the redhat_repository_url without changing the cdn_configuration to custom_cdn  
2238363 - katello-certs-check does not cause the installer to halt execution on failure  
2238367 - Satellite Web UI >> Hosts >> All Hosts page loading slow even after power isn't selected from the new option \"Manage columns\".  
2238369 - Content-export incremental with syncable format based does not include productid file into repodata directory  
2238371 - SELinux is preventing pulpcore-worker from read access on the key labeled pulpcore_server_t  
2239041 - Reclaim space for repository fails with Cannot delete some instances of model 'Artifact' because they are referenced through protected foreign keys: 'ContentArtifact.artifact'.\"  
2238353 - The \"hammer export\" command using single thread encryption causes a performance bottleneck.  
2240781 - Remediation from CRC via Satellite shows \"Failed\" status even after successful remediation of Insights recommendations.   
2241914 - \"NoMethodError: undefined method `fact_values'\" while trying to perform inventory upload

Users of Red Hat Satellite are advised to upgrade to these updated packages, which fix these bugs.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-1292

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.13/html/upgrading_and_updating_red_hat_satellite/index  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-5931-01

An issue in Fnando svg_optimizer v.0.2.6 allows a remote attacker to escalate privileges when optimizing untrusted SVG content.


**svg\_optimizer rubygem external XML entity (XXE) vulnerability**

Moderate severity GitHub Reviewed Published Oct 20, 2023 to the GitHub Advisory Database • Updated Oct 20, 2023

Tag

#ruby