SCA: security update for @turbo-boost/commands, turbo_boost-commands (GHSA-mp76-7w5v-pr75)

high Tenable Self-Hosted Container Security Plugin ID 417050

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- turbo_boost-commands is a set of commands to help you build robust reactive applications with Rails &
Hotwire. TurboBoost Commands has existing protections in place to guarantee that only public methods on
Command classes can be invoked; however, the existing checks aren't as robust as they should be. It's
possible for a sophisticated attacker to invoke more methods than should be permitted depending on the the
strictness of authorization checks that individual applications enforce. Being able to call some of these
methods can have security implications. Commands verify that the class must be a `Command` and that the
method requested is defined as a public method; however, this isn't robust enough to guard against all
unwanted code execution. The library should more strictly enforce which methods are considered safe before
allowing them to be executed. This issue has been addressed in versions 0.1.3, and 0.2.2. Users are
advised to upgrade. Users unable to upgrade should see the repository GHSA for workaround advice.
(CVE-2024-28181)

See Also

https://github.com/advisories/GHSA-mp76-7w5v-pr75

Plugin Details

Severity: High

ID: 417050

Version: Revision 1.14

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-28181

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/15/2024

Vulnerability Publication Date: 3/14/2024

Reference Information

CVE: CVE-2024-28181

cwe: CWE-74