Description
rubygem-safemode, as used in Foreman, versions 1.3.2 and earlier are vulnerable to bypassing safe mode limitations via special Ruby syntax. This can lead to deletion of objects for which the user does not have delete permissions or possibly to privilege escalation.
References (1)
Core 1
Core References
Issue Tracking x_refsource_misc
https://github.com/svenfuchs/safemode/pull/23
Scores
CVSS v3
9.8
EPSS
0.0163
EPSS Percentile
73.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-184
Status
published
Products (3)
Red Hat, Inc./rubygem-safemode
1.3.2 and earlier
rubygems/safemode
0 - 1.3.2RubyGems
safemode_project/safemode
< 1.3.2
Published
Jul 21, 2017
Tracked Since
Feb 18, 2026