VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-eyma-ht2z-7kac

Essentials
Severities (21)
References (8)
Severity details (16)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-eyma-ht2z-7kac
Aliases	CVE-2023-34102 GHSA-86h2-2g4g-29qx
Summary	Avo is an open source ruby on rails admin panel creation framework. The polymorphic field type stores the classes to operate on when updating a record with user input, and does not validate them in the back end. This can lead to unexpected behavior, remote code execution, or application crashes when viewing a manipulated record. This issue has been addressed in commit `ec117882d` which is expected to be included in subsequent releases. Users are advised to limit access to untrusted users until a new release is made.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-20	Improper Input Validation
CWE-470	Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.02239	https://api.first.org/data/v1/epss?cve=CVE-2023-34102
epss	0.02239	https://api.first.org/data/v1/epss?cve=CVE-2023-34102
epss	0.03264	https://api.first.org/data/v1/epss?cve=CVE-2023-34102
epss	0.03264	https://api.first.org/data/v1/epss?cve=CVE-2023-34102
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-86h2-2g4g-29qx
cvssv3.1	8.3	https://github.com/avo-hq/avo
generic_textual	HIGH	https://github.com/avo-hq/avo
cvssv3.1	8.3	https://github.com/avo-hq/avo/commit/ec117882ddb1b519481bdd046dc3cfa4474e6e17
generic_textual	HIGH	https://github.com/avo-hq/avo/commit/ec117882ddb1b519481bdd046dc3cfa4474e6e17
ssvc	Track*	https://github.com/avo-hq/avo/commit/ec117882ddb1b519481bdd046dc3cfa4474e6e17
cvssv3.1	8.3	https://github.com/avo-hq/avo/releases/tag/v2.33.3
generic_textual	HIGH	https://github.com/avo-hq/avo/releases/tag/v2.33.3
cvssv3	8.3	https://github.com/avo-hq/avo/security/advisories/GHSA-86h2-2g4g-29qx
cvssv3.1	8.3	https://github.com/avo-hq/avo/security/advisories/GHSA-86h2-2g4g-29qx
cvssv3.1_qr	HIGH	https://github.com/avo-hq/avo/security/advisories/GHSA-86h2-2g4g-29qx
generic_textual	HIGH	https://github.com/avo-hq/avo/security/advisories/GHSA-86h2-2g4g-29qx
ssvc	Track*	https://github.com/avo-hq/avo/security/advisories/GHSA-86h2-2g4g-29qx
cvssv3.1	8.3	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/avo/CVE-2023-34102.yml
generic_textual	HIGH	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/avo/CVE-2023-34102.yml
cvssv3.1	8.3	https://nvd.nist.gov/vuln/detail/CVE-2023-34102
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2023-34102

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2023-34102
		https://github.com/avo-hq/avo
		https://github.com/avo-hq/avo/releases/tag/v2.33.3
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/avo/CVE-2023-34102.yml
		https://nvd.nist.gov/vuln/detail/CVE-2023-34102
ec117882ddb1b519481bdd046dc3cfa4474e6e17		https://github.com/avo-hq/avo/commit/ec117882ddb1b519481bdd046dc3cfa4474e6e17
GHSA-86h2-2g4g-29qx		https://github.com/advisories/GHSA-86h2-2g4g-29qx
GHSA-86h2-2g4g-29qx		https://github.com/avo-hq/avo/security/advisories/GHSA-86h2-2g4g-29qx

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H Found at https://github.com/avo-hq/avo

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H Found at https://github.com/avo-hq/avo/commit/ec117882ddb1b519481bdd046dc3cfa4474e6e17

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-08T15:48:23Z/ Found at https://github.com/avo-hq/avo/commit/ec117882ddb1b519481bdd046dc3cfa4474e6e17

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H Found at https://github.com/avo-hq/avo/releases/tag/v2.33.3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H Found at https://github.com/avo-hq/avo/security/advisories/GHSA-86h2-2g4g-29qx

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-08T15:48:23Z/ Found at https://github.com/avo-hq/avo/security/advisories/GHSA-86h2-2g4g-29qx

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/avo/CVE-2023-34102.yml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-34102

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.84917
EPSS Score	0.02239
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T17:26:05.197412+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2023/34xxx/CVE-2023-34102.json	38.6.0