CVE-2024-46986: Ruby Kernel Eval On Non Literal
Kernel#eval is invoked with a non-literal value pulled from a variable or collection. If the argument is influenced by configuration, plugins, database/cache contents, or any other writable source, this is a Ruby code-injection sink (CWE-95) leading to RCE. Store callbacks as Proc/Lambda objects and invoke them via `.call` (or `&:call`) instead of eval'ing s
greprules fetch cve-2024-46986-ruby-kernel-eval-on-non-literal --engine opengrepDescription
Kernel#eval is invoked with a non-literal value pulled from a variable or collection. If the argument is influenced by configuration, plugins, database/cache contents, or any other writable source, this is a Ruby code-injection sink (CWE-95) leading to RCE. Store callbacks as Proc/Lambda objects and invoke them via `.call` (or `&:call`) instead of eval'ing s
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.