8.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-3693

GHSA ID

GHSA-c92m-rrrc-q5wf

EPSS Score

0.71792%

CWE

CWE-200

Published

10/24/2017

Updated

9/5/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-3693

CVE-2016-3693: safemode gem allows context-dependent attackers to obtain sensitive information via the inspect method

The Safemode gem before 1.2.4 for Ruby, when initialized with a delegate object that is a Rails controller, allows context-dependent attackers to obtain sensitive information via the inspect method.

(GitHub Advisory)

8.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-3693

GHSA ID

GHSA-c92m-rrrc-q5wf

EPSS Score

0.71792%

CWE

CWE-200

Published

10/24/2017

Updated

9/5/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
safemode	rubygems	< 1.2.4	1.2.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Safemode's Blankslate class explicitly allowing the 'inspect' method in both instance and class method whitelists. The commit diff shows 'inspect' was removed from both @@allow_instance_methods and @@allow_class_methods arrays in lib/safemode/blankslate.rb. Since Safemode delegates to Rails controllers, calling 'inspect' on these objects would leak sensitive application state. The patch directly addresses this by removing 'inspect' from allowed methods, confirming these were the vulnerable functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** S***mo** **m ***or* *.*.* *or Ru*y, w**n initi*liz** wit* * **l***t* o*j**t t**t is * R*ils *ontroll*r, *llows *ont*xt-**p*n**nt *tt**k*rs to o*t*in s*nsitiv* in*orm*tion vi* t** insp**t m*t*o*.

Reasoning

T** vuln*r**ility st*ms *rom S***mo**'s *l*nksl*t* *l*ss *xpli*itly *llowin* t** 'insp**t' m*t*o* in *ot* inst*n** *n* *l*ss m*t*o* w*it*lists. T** *ommit *i** s*ows 'insp**t' w*s r*mov** *rom *ot* @@*llow_inst*n**_m*t*o*s *n* @@*llow_*l*ss_m*t*o*s *

8.1

Basic Information

Concerned about an active attack path?

CVE-2016-3693: safemode gem allows context-dependent attackers to obtain sensitive information via the inspect method

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI