{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/rubygems/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-41316"}],"_cs_exploited":false,"_cs_products":["ERB"],"_cs_severities":["critical"],"_cs_tags":["deserialization","rce","ruby","rails"],"_cs_type":"advisory","_cs_vendors":["RubyGems"],"content_html":"\u003cp\u003eRuby versions before ERB 2.2.0 implemented an \u003ccode\u003e@_init\u003c/code\u003e instance variable guard in \u003ccode\u003eERB#result\u003c/code\u003e and \u003ccode\u003eERB#run\u003c/code\u003e to prevent code execution upon deserialization via \u003ccode\u003eMarshal.load\u003c/code\u003e. This guard is intended to block execution when an ERB object is reconstructed from untrusted data. However, the methods \u003ccode\u003eERB#def_method\u003c/code\u003e, \u003ccode\u003eERB#def_module\u003c/code\u003e, and \u003ccode\u003eERB#def_class\u003c/code\u003e were not given the same protection, creating a bypass. An attacker capable of triggering \u003ccode\u003eMarshal.load\u003c/code\u003e on untrusted data in a Ruby application with the \u003ccode\u003eerb\u003c/code\u003e gem loaded can exploit \u003ccode\u003eERB#def_module\u003c/code\u003e (using its zero-argument, default-parameter form) as a code execution sink. This bypass impacts Ruby on Rails applications that import untrusted serialized data, Ruby tools employing \u003ccode\u003eMarshal.load\u003c/code\u003e for caching or IPC, and legacy Rails applications (pre-7.0) utilizing Marshal for cookie session serialization. This bypass renders the \u003ccode\u003e@_init\u003c/code\u003e mitigation ineffective across all ERB versions from 2.2.0 through 6.0.3. Combined with the DeprecatedInstanceVariableProxy gadget (present in all ActiveSupport versions through 7.2.3), this enables a universal RCE gadget chain for Ruby 3.2+ applications using Rails. The vulnerability is identified as CVE-2026-41316.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious Ruby object containing an \u003ccode\u003eERB\u003c/code\u003e instance and/or an \u003ccode\u003eActiveSupport::Deprecation::DeprecatedInstanceVariableProxy\u003c/code\u003e instance.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eERB\u003c/code\u003e instance has its \u003ccode\u003e@src\u003c/code\u003e instance variable set to a string containing malicious code with the \u0026ldquo;end\\nsystem(\u0026lsquo;id\u0026rsquo;)\\ndef x\u0026rdquo; payload.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application calls \u003ccode\u003eMarshal.load\u003c/code\u003e on the crafted object, triggering deserialization.\u003c/li\u003e\n\u003cli\u003eDuring deserialization, the \u003ccode\u003eDeprecatedInstanceVariableProxy\u003c/code\u003e is instantiated (if used), which then invokes the \u003ccode\u003eERB#def_module\u003c/code\u003e method via \u003ccode\u003emethod_missing\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eERB#def_module\u003c/code\u003e method calls \u003ccode\u003eERB#def_method\u003c/code\u003e without checking the \u003ccode\u003e@_init\u003c/code\u003e guard.\u003c/li\u003e\n\u003cli\u003eInside \u003ccode\u003eERB#def_method\u003c/code\u003e, the malicious code in \u003ccode\u003e@src\u003c/code\u003e is wrapped in a method definition and evaluated via \u003ccode\u003emodule_eval\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;end\\nsystem(\u0026lsquo;id\u0026rsquo;)\\ndef x\u0026rdquo; payload causes the \u003ccode\u003esystem('id')\u003c/code\u003e command to execute during the \u003ccode\u003emodule_eval\u003c/code\u003e call, bypassing the intended deserialization protection.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the target system, gaining the ability to perform malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to execute arbitrary code on the target system. This affects Ruby applications, including Ruby on Rails, which use \u003ccode\u003eMarshal.load\u003c/code\u003e on untrusted data. Specific impact includes potential compromise of web servers and the ability to read sensitive files, modify data, or install malware. Vulnerable applications include those using \u003ccode\u003eMarshal.load\u003c/code\u003e for caching, data import, or IPC, and legacy Rails applications (pre-7.0) using Marshal for cookie session serialization. This bypass renders the @_init mitigation ineffective across all ERB versions from 2.2.0 through 6.0.3.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade your erb gem to version 4.0.3.1, 4.0.4.1, 6.0.1.1, or 6.0.4 to patch the vulnerability as described in the \u0026ldquo;Patches\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eAvoid using \u003ccode\u003eMarshal.load\u003c/code\u003e on untrusted data, as it is inherently unsafe. Consider using alternative serialization formats like JSON or YAML.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect ERB def_module Code Execution via Deserialization\u0026rdquo; Sigma rule to detect exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-25T12:00:00Z","date_published":"2026-04-25T12:00:00Z","id":"/briefs/2026-04-erb-deserialization/","summary":"A deserialization vulnerability exists in Ruby ERB versions before 4.0.3.1, version 4.0.4, ERB versions 5.0.0 before 6.0.1.1, and ERB versions 6.0.2 before 6.0.4. The `@_init` instance variable guard in `ERB#result` and `ERB#run` can be bypassed via `ERB#def_module`, `ERB#def_method`, and `ERB#def_class`, allowing arbitrary code execution when an ERB object is reconstructed via `Marshal.load` on untrusted data.","title":"ERB Deserialization Bypass via def_module/def_method/def_class","url":"https://feed.craftedsignal.io/briefs/2026-04-erb-deserialization/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["OpenC3"],"_cs_severities":["critical"],"_cs_tags":["sql-injection","openc3","cosmos","questdb","telemetry"],"_cs_type":"advisory","_cs_vendors":["rubygems"],"content_html":"\u003cp\u003eA SQL injection vulnerability has been identified in the OpenC3 COSMOS Time-Series Database (TSDB) component, which utilizes QuestDB. The vulnerability resides within the \u003ccode\u003etsdb_lookup\u003c/code\u003e function in the \u003ccode\u003ecvt_model.rb\u003c/code\u003e file, where user-supplied input is directly incorporated into SQL queries without proper sanitization. An authenticated attacker with \u0026ldquo;tlm\u0026rdquo; permissions, which includes Admin, Operator, Viewer, or Runner roles, can exploit this flaw to inject arbitrary SQL commands. This can lead to unauthorized data access, modification, or deletion within the TSDB. The affected versions are OpenC3 rubygems package versions \u0026gt;= 6.7.0 and \u0026lt; 7.0.0-rc3. Successful exploitation allows attackers to compromise the confidentiality, integrity, and availability of telemetry data stored within the COSMOS system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the COSMOS system with a role that possesses \u0026ldquo;tlm\u0026rdquo; permissions (Admin, Operator, Viewer, or Runner).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious JSON-RPC request targeting the \u003ccode\u003eget_tlm_values\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the request body, the attacker injects a SQL payload into the \u003ccode\u003estart_time\u003c/code\u003e parameter, such as \u003ccode\u003e' OR 1=1 --\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etsdb_lookup\u003c/code\u003e function incorporates the unsanitized input into a SQL query.\u003c/li\u003e\n\u003cli\u003eThe injected SQL payload manipulates the query logic, allowing the attacker to bypass intended restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker can then exfiltrate all telemetry data within the database by manipulating the SQL query.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the SQL payload to execute arbitrary commands, such as \u003ccode\u003eDROP TABLE\u003c/code\u003e statements.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully deletes historical data from the database, impacting data availability and system integrity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability allows an attacker to perform unauthorized actions on the OpenC3 COSMOS Time-Series Database (TSDB). An attacker with \u0026ldquo;tlm\u0026rdquo; permissions can disclose sensitive telemetry data, modify existing data, or delete data altogether. The vulnerability impacts systems running OpenC3 rubygems package versions \u0026gt;= 6.7.0 and \u0026lt; 7.0.0-rc3. Depending on the role of the compromised account and the specific SQL commands executed, an attacker could potentially cause significant disruption to operations relying on the integrity and availability of telemetry data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003erubygems/openc3\u003c/code\u003e package to version 7.0.0-rc3 or later to remediate the SQL injection vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement input sanitization on user-supplied data within the \u003ccode\u003etsdb_lookup\u003c/code\u003e function in \u003ccode\u003ecvt_model.rb\u003c/code\u003e to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious OpenC3 Telemetry Requests\u0026rdquo; to identify potential exploitation attempts targeting the \u003ccode\u003eget_tlm_values\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eReview and restrict \u0026ldquo;tlm\u0026rdquo; permissions to the \u003ccode\u003eget_tlm_values\u003c/code\u003e RPC endpoint according to the principle of least privilege, limiting access to only those users who require it.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T14:12:02Z","date_published":"2026-04-23T14:12:02Z","id":"/briefs/2024-01-09-openc3-sql-injection/","summary":"A SQL injection vulnerability exists in the Time-Series Database (TSDB) component of COSMOS, allowing an authenticated remote user to execute arbitrary SQL commands, including telemetry data disclosure and deletion.","title":"OpenC3 COSMOS SQL Injection Vulnerability in QuestDB Time-Series Database","url":"https://feed.craftedsignal.io/briefs/2024-01-09-openc3-sql-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openc3"],"_cs_severities":["critical"],"_cs_tags":["openc3","cosmos","script-runner","permissions-bypass","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["rubygems"],"content_html":"\u003cp\u003eThe openc3-COSMOS-script-runner-api container includes a Script Runner widget that enables users to execute Python and Ruby scripts. A vulnerability exists where users with script execution privileges can bypass API permission checks due to shared networking among Docker containers. This bypass allows unauthorized administrative actions such as reading and modifying data within the Redis database, which can lead to the exposure of sensitive credentials and alteration of COSMOS settings. Attackers can also read and write to the buckets service, affecting configuration, logs, and plugins. The vulnerability affects versions prior to 7.0.0-rc3 of the rubygems/openc3 package, posing a significant risk to data integrity and system security. Any authenticated user with script execution capabilities can exploit this flaw to connect to any service within the Docker network, escalating their privileges and gaining control over critical system components.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker logs into the OpenC3 COSMOS platform with a valid, non-administrative user account that has access to the Script Runner widget.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a Ruby script to extract Redis credentials (username, password, hostname, port) by querying the environment variables within the \u003ccode\u003eopenc3-COSMOS-script-runner-api\u003c/code\u003e container using a command like \u003ccode\u003eputs \\\u003c/code\u003eenv | grep redis``.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the Ruby script within the Script Runner widget, successfully retrieving the Redis credentials, which are then displayed in the script\u0026rsquo;s output.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a Python script using the obtained Redis credentials to connect to the Redis database. The script is designed to create a new entry or modify an existing one. For example, \u003ccode\u003er.hset('openc3__settings_hacked','store_url',json.dumps(setting_data))\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe attacker executes the Python script within the Script Runner widget, successfully adding or modifying data in the Redis database, bypassing normal permission controls.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the ability to write to the buckets service to modify critical system configuration files, such as the plugin store URL, by uploading a malicious file via a Python or Ruby script.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the changes by using \u003ccode\u003eredis-cli\u003c/code\u003e to confirm the new data was added to the Redis database, or by observing the altered behavior of the system due to the modified configuration files.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control over the OpenC3 COSMOS environment by exploiting modified settings, potentially leading to data exfiltration, service disruption, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthorized data disclosure and manipulation within the OpenC3 COSMOS environment. An attacker can access sensitive information such as Redis credentials, modify system settings, and alter configuration files, leading to privilege escalation. The number of affected installations is currently unknown, but the vulnerability poses a significant risk to organizations using OpenC3 COSMOS, potentially resulting in complete system compromise and loss of data integrity. The vulnerability allows unauthorized access to data and functionality typically restricted to administrators, bypassing intended security controls.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003erubygems/openc3\u003c/code\u003e package to version 7.0.0-rc3 or later to remediate the vulnerability (reference: rubygems/openc3 v7.0.0-rc3).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to isolate the \u003ccode\u003eopenc3-COSMOS-script-runner-api\u003c/code\u003e container from other critical services like Redis, limiting the blast radius of potential attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect the execution of suspicious scripts within the Script Runner widget that attempt to access Redis or modify configuration files.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events within the \u003ccode\u003eopenc3-COSMOS-script-runner-api\u003c/code\u003e container for commands such as \u003ccode\u003eenv | grep redis\u003c/code\u003e or any calls to \u003ccode\u003eredis-cli\u003c/code\u003e which is abnormal behavior, and create alerts (reference: process_creation log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-08T12:00:00Z","date_published":"2024-11-08T12:00:00Z","id":"/briefs/2024-11-openc3-cosmos-bypass/","summary":"The OpenC3 COSMOS Script Runner widget allows authenticated users to bypass API permissions checks and execute administrative actions by running specially crafted Python and Ruby scripts, leading to data manipulation and privilege escalation.","title":"OpenC3 COSMOS Script Runner Permissions Bypass","url":"https://feed.craftedsignal.io/briefs/2024-11-openc3-cosmos-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["avo"],"_cs_severities":["high"],"_cs_tags":["broken-access-control","privilege-escalation","ruby"],"_cs_type":"advisory","_cs_vendors":["rubygems"],"content_html":"\u003cp\u003eA critical broken access control vulnerability exists within the Avo framework, specifically affecting version 3.x. This vulnerability resides in the \u003ccode\u003eActionsController\u003c/code\u003e and stems from an insecure action lookup mechanism. An authenticated user, regardless of their privilege level, can execute any Action class (descendants of \u003ccode\u003eAvo::BaseAction\u003c/code\u003e) on any resource within the application. This occurs because the system fails to validate whether the requested action is legitimately registered or permitted for the resource context specified in the request. The absence of this verification allows for the circumvention of intended resource-action mappings. Successful exploitation leads to privilege escalation, unauthorized data manipulation, and potential compromise of the application\u0026rsquo;s integrity. It is recommended to upgrade to version 3.31.2 or later, which addresses this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Avo admin panel with low-level privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a sensitive action class, such as \u003ccode\u003eAvo::Actions::ToggleAdmin\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target record ID, such as a user ID they wish to manipulate.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to a resource endpoint where the target action is NOT registered (e.g., \u003ccode\u003e/admin/resources/posts/actions\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe POST request includes a payload containing the \u003ccode\u003eaction_id\u003c/code\u003e parameter set to the sensitive action class (\u003ccode\u003eAvo::Actions::ToggleAdmin\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe POST request also includes a \u003ccode\u003efields[avo_resource_ids]\u003c/code\u003e parameter set to the target record ID.\u003c/li\u003e\n\u003cli\u003eDue to the insecure action lookup in \u003ccode\u003eAvo::ActionsController\u003c/code\u003e, the server executes the \u003ccode\u003eToggleAdmin\u003c/code\u003e action on the specified user ID.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s privileges are escalated, or unauthorized data manipulation occurs due to the successful execution of the unintended action.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe exploitation of this broken access control vulnerability can have severe consequences. A successful attack can lead to privilege escalation, allowing attackers to gain administrative control over the application. Unauthorized operations can be performed, leading to data breaches or data manipulation. Sensitive actions designed for restricted resources can be triggered against any record ID, potentially compromising the integrity and confidentiality of data. The impact includes unauthorized deletion, archival, or updates to records, causing reputational damage and potential financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Avo version 3.31.2 or later, which contains the necessary fix to restrict action lookup to registered actions for the current resource context.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Avo Unauthorized Action Execution\u003c/code\u003e to monitor for attempts to execute actions on resources where they are not registered.\u003c/li\u003e\n\u003cli\u003eReview and audit existing Avo action registrations to ensure that actions are appropriately mapped to resources within the application.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-avo-broken-access-control/","summary":"Avo framework version 3.x contains a critical Broken Access Control vulnerability in the ActionsController. Due to insecure action lookup logic, an authenticated user can execute any Action class on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application. Version 3.31.2 remediates this issue.","title":"Avo Framework Broken Access Control Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-03-avo-broken-access-control/"}],"language":"en","title":"CraftedSignal Threat Feed — Rubygems","version":"https://jsonfeed.org/version/1.1"}