DerScanner
Home / Vulnerability Database / Ruby : OpenURI usage
Ruby

Ruby : OpenURI usage

Classification

OWASP Top 10 2013
A1-InjectionA7-Missing Function Level Access Control
OWASP Top 10 2017
A1-InjectionA5-Broken Access Control
OWASP Top 10 2021
A3-InjectionA1-Broken Access Control
PCI DSS 4.0
6.2.4
HIPAA
§164.312 (a)(1)
CWE
CWE-1027CWE-1033

Overview

Using the OpenURI library is not safe, because it allows remote execution of arbitrary code.

OpenURI is a standard library for working with URLs. require "open-uri" internally patches Kernel.open, which allows the attacker to execute code remotely and read local files.

References

  1. Using open-uri? Check your code - you’re playing with fire!
  2. ruby-doc - OpenURI
  3. OWASP Top 10 2017-A5-Broken Access Control
  4. OWASP Top 10 2017-A1-Injection
  5. CWE CATEGORY: OWASP Top Ten 2017 Category A1 - Injection
  6. CWE-1033
CRITICAL

DerScanner Severity Score

Do you want to fix Ruby : OpenURI usage in your application?

See also

Ruby

Ruby : Weak hashing algorithm

Ruby

Ruby : Empty encryption key

Ruby

Ruby : Hardcoded sensitive data