8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-28121

GHSA ID

GHSA-f78j-4w3g-4q65

EPSS Score

0.56321%

CWE

CWE-470

Published

3/12/2024

Updated

9/25/2024

KEV Status

Technology

Ruby

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-28121

CVE-2024-28121: StimulusReflex arbitrary method call

Summary

More methods than expected can be called on reflex instances. Being able to call some of them has security implications.

Details

To invoke a reflex a websocket message of the following shape is sent:

{ 
  "target": "[class_name]#[method_name]", 
  "args": [] 
}

The server will proceed to instantiate reflex using the provided class_name as long as it extends StimulusReflex::Reflex. It then attempts to call method_name on the instance with the provided arguments ref:

method = reflex.method method_name
required_params = method.parameters.select { |(kind, _)| kind == :req }
optional_params = method.parameters.select { |(kind, _)| kind == :opt }

if arguments.size >= required_params.size && arguments.size <= required_params.size + optional_params.size
  reflex.public_send(method_name, *arguments)
end

This is problematic as reflex.method(method_name) can be more methods than those explicitly specified by the developer in their reflex class. A good example is the instance_variable_set method.

<details> <summary>Read more</summary> Let's imagine a reflex that uses `@user` as a trusted variable in an `after_reflex` callback.

This variable can be overwritten using the following message:

{
  "target": "ChatReflex#instance_variable_set", 
  "args": ["@user", "<admin-id>"]
}

Here are other interesting methods that were found to be available for the ChatReflex sample reflex

remote_byebug: bind a debugging server
pry: drop the process in a REPL session

All in all, only counting :req and :opt parameters helps. For example around only was checked which allowed access to the method ()

</details>

Miggo Vulnerability Database

→

CVE-2024-28121

CVE-2024-28121:

8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-28121

GHSA ID

GHSA-f78j-4w3g-4q65

EPSS Score

0.56321%

CWE

CWE-470

Published

3/12/2024

Updated

9/25/2024

KEV Status

Technology

Ruby

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
stimulus_reflex	rubygems	>= 3.5.0.pre0, < 3.5.0.rc4	3.5.0.rc4
stimulus_reflex	rubygems	< 3.4.2	3.4.2
stimulus_reflex	npm	< 3.4.2	3.4.2
stimulus_reflex	npm	>= 3.5.0-pre0, < 3.5.0-rc4	3.5.0-rc4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key functions: 1) The channel's method invocation logic allowed any public method (including from parent classes like StimulusReflex::Reflex) to be called if parameter counts matched, enabling access to dangerous methods like instance_variable_set. 2) The parameter validation policy focused only on arity checks rather than method ownership. The patch introduced method origin validation in ReflexFactory (verify_method_name!) and restricted methods to those explicitly defined in developer-controlled reflex ancestors, confirming these as the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-28121: StimulusReflex arbitrary method call

Summary

Details

CVE-2024-28121:

8.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

8.8

8.8

Basic Information

Basic Information

CVE-2024-28121: StimulusReflex arbitrary method call

Summary

Details

Patches

Workaround

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-28121: StimulusReflex arbitrary method call

Summary

Details

CVE-2024-28121:

8.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

8.8

8.8

Basic Information

Basic Information

CVE-2024-28121: StimulusReflex arbitrary method call

Summary

Details

Patches

Workaround

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI