Lucene search

[email protected]CVE-2010-3933

HistoryOct 03, 2022 - 4:20 p.m.

CVE-2010-3933

2022-10-0316:20:54

CWE-20

[email protected]

web.nvd.nist.gov

cve-2010-3933

ruby on rails

remote code execution

nested attributes

form input security

nvd

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

6.6 Medium

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

70.3%

JSON

Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.

Affected configurations

NVD

Node

rubyonrailsrailsMatch2.3.9

rubyonrailsrailsMatch3.0.0

CPENameOperatorVersion
rubyonrails:railsrubyonrails railseq2.3.9
rubyonrails:railsrubyonrails railseq3.0.0

CPE	Name	Operator	Version
rubyonrails:rails	rubyonrails rails	eq	2.3.9
rubyonrails:rails	rubyonrails rails	eq	3.0.0

References

secunia.com/advisories/41930

securitytracker.com/id?1024624

weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0

www.vupen.com/english/advisories/2010/2719

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

6.6 Medium

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

70.3%

JSON

Related for CVE-2010-3933

github1 nvd1 osv1 prion1 ubuntucve1 openvas2 cvelist1 gitlab1 debiancve1 nessus3 gentoo1