simple_form is vulnerable to authorization bypass. The vulnerability exists as file_method?
was incorrectly called in lib/simple_form/form_builder.rb
, allowing a user-supplied string to be invoked as a method call through #send
.
blog.plataformatec.com.br/2019/09/incorrect-access-control-in-simple-form-cve-2019-16676/
github.com/plataformatec/simple_form/commit/8c91bd76a5052ddf3e3ab9fd8333f9aa7b2e2dd6
github.com/plataformatec/simple_form/commits/master
github.com/plataformatec/simple_form/security/advisories/GHSA-r74q-gxcg-73hx
github.com/rubysec/ruby-advisory-db/pull/417