SYM_RB_0027 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Control of Generation of Code ('Code Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code ('Code Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
Using the :marshal or :hybrid cookie serializer allows cookies to be deserialized with Ruby's Marshal format, which is unsafe. Attackers who can tamper with cookies may exploit this to run malicious code on your server.
Impact
If exploited, an attacker could achieve remote code execution on your server by crafting a malicious cookie. This could lead to full system compromise, data theft, or further attacks against your users and infrastructure.