|
|
|
|
|
|
by fowlduck
4905 days ago
|
|
|
It is the same vulnerability at a fundamental level (it's virtually the same code), but it isn't exploitable out of the box in the same way Rails was, at least not on its own. However, there is a web framework, Grape, that was exploitable in exactly the same way that Rails was due to MultiXml's vulnerability. And, really, technically, it was ActiveSupport that had this vulnerability. Even outside of Rails, had you used Hash.from_xml on untrusted user input you would have run into exactly the same issues. |
|
|