Miggo Logo
Miggo Vulnerability Database
CVE-2023-26153

CVE-2023-26153: geokit-rails Command Injection vulnerability

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-26153
GHSA ID
GHSA-7xvc-v44j-46fh
EPSS Score
0.49853%
CWE
CWE-77
Published
10/6/2023
Updated
11/8/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
geokit-railsrubygems< 2.5.02.5.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The critical vulnerability stemmed from two key functions: 1) retrieve_location_from_cookie_or_service directly used YAML.load on user-controlled cookie data (CWE-502), which allows deserialization of arbitrary objects and code execution. This was patched by replacing YAML with JSON in the commit. 2) store_ip_location's use of to_yaml created the persistent attack vector in cookies. The high confidence comes from the explicit YAML.load usage in the retrieval path being called out in vulnerability reports and the patch directly addressing both serialization/deserialization methods.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* t** p**k*** **okit-r*ils ***or* *.*.* *r* vuln*r**l* to *omm*n* Inj**tion *u* to uns*** **s*ri*lis*tion o* Y*ML wit*in t** '**o_lo**tion' *ooki*. T*is issu* **n ** *xploit** r*mot*ly vi* * m*li*ious *ooki* v*lu*. **Not*:** *n *tt**k*r

Reasoning

T** *riti**l vuln*r**ility st*mm** *rom two k*y *un*tions: *) r*tri*v*_lo**tion_*rom_*ooki*_or_s*rvi** *ir**tly us** Y*ML.lo** on us*r-*ontroll** *ooki* **t* (*W*-***), w*i** *llows **s*ri*liz*tion o* *r*itr*ry o*j**ts *n* *o** *x**ution. T*is w*s p*