Lucene search

[email protected]CVE-2015-7577

HistoryFeb 16, 2016 - 2:59 a.m.

CVE-2015-7577

2016-02-1602:59:01

CWE-284

[email protected]

web.nvd.nist.gov

cve

2015

7577

active record

ruby on rails

nvd

nested attributes

remote attackers

change restrictions

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

5.4 Medium

AI Score

Confidence

High

0.007 Low

EPSS

Percentile

80.1%

JSON

activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.

Affected configurations

NVD

Node

rubyonrailsrailsMatch4.0.0-

rubyonrailsrailsMatch4.0.0beta

rubyonrailsrailsMatch4.0.0rc1

rubyonrailsrailsMatch4.0.0rc2

rubyonrailsrailsMatch4.0.1-

rubyonrailsrailsMatch4.0.1rc1

rubyonrailsrailsMatch4.0.1rc2

rubyonrailsrailsMatch4.0.1rc3

rubyonrailsrailsMatch4.0.1rc4

rubyonrailsrailsMatch4.0.2

rubyonrailsrailsMatch4.0.3

rubyonrailsrailsMatch4.0.4

rubyonrailsrailsMatch4.0.4rc1

rubyonrailsrailsMatch4.0.5

rubyonrailsrailsMatch4.0.6

rubyonrailsrailsMatch4.0.6rc1

rubyonrailsrailsMatch4.0.6rc2

rubyonrailsrailsMatch4.0.6rc3

rubyonrailsrailsMatch4.0.7

rubyonrailsrailsMatch4.0.8

rubyonrailsrailsMatch4.0.9

rubyonrailsrailsMatch4.0.10

rubyonrailsrailsMatch4.0.10rc1

rubyonrailsrailsMatch4.1.0-

rubyonrailsrailsMatch4.1.0beta1

rubyonrailsrailsMatch4.1.0beta2

rubyonrailsrailsMatch4.1.0rc1

rubyonrailsrailsMatch4.1.0rc2

rubyonrailsrailsMatch4.1.1

rubyonrailsrailsMatch4.1.2

rubyonrailsrailsMatch4.1.2rc1

rubyonrailsrailsMatch4.1.2rc2

rubyonrailsrailsMatch4.1.2rc3

rubyonrailsrailsMatch4.1.3

rubyonrailsrailsMatch4.1.4

rubyonrailsrailsMatch4.1.5

rubyonrailsrailsMatch4.1.6

rubyonrailsrailsMatch4.1.6rc1

rubyonrailsrailsMatch4.1.6rc2

rubyonrailsrailsMatch4.1.7

rubyonrailsrailsMatch4.1.7.1

rubyonrailsrailsMatch4.1.8

rubyonrailsrailsMatch4.1.9

rubyonrailsrailsMatch4.1.9rc1

rubyonrailsrailsMatch4.1.10

rubyonrailsrailsMatch4.1.10rc1

rubyonrailsrailsMatch4.1.10rc2

rubyonrailsrailsMatch4.1.10rc3

rubyonrailsrailsMatch4.1.10rc4

rubyonrailsrailsMatch4.1.12

rubyonrailsrailsMatch4.1.12rc1

rubyonrailsrailsMatch4.1.13

rubyonrailsrailsMatch4.1.13rc1

rubyonrailsrailsMatch4.1.14

rubyonrailsrailsMatch4.1.14rc1

rubyonrailsrailsMatch4.1.14rc2

rubyonrailsrailsMatch4.2.0

rubyonrailsrailsMatch4.2.0beta1

rubyonrailsrailsMatch4.2.0beta2

rubyonrailsrailsMatch4.2.0beta3

rubyonrailsrailsMatch4.2.0beta4

rubyonrailsrailsMatch4.2.0rc1

rubyonrailsrailsMatch4.2.0rc2

rubyonrailsrailsMatch4.2.0rc3

rubyonrailsrailsMatch4.2.1

rubyonrailsrailsMatch4.2.1rc1

rubyonrailsrailsMatch4.2.1rc2

rubyonrailsrailsMatch4.2.1rc3

rubyonrailsrailsMatch4.2.1rc4

rubyonrailsrailsMatch4.2.2

rubyonrailsrailsMatch4.2.3

rubyonrailsrailsMatch4.2.3rc1

rubyonrailsrailsMatch4.2.4

rubyonrailsrailsMatch4.2.4rc1

rubyonrailsrailsMatch4.2.5

rubyonrailsrailsMatch4.2.5rc1

rubyonrailsrailsMatch4.2.5rc2

rubyonrailsrailsMatch5.0.0beta1

rubyonrailsruby_on_railsRange≤3.2.22

rubyonrailsruby_on_railsMatch4.0.10rc2

rubyonrailsruby_on_railsMatch4.0.11

rubyonrailsruby_on_railsMatch4.0.11.1

rubyonrailsruby_on_railsMatch4.0.12

rubyonrailsruby_on_railsMatch4.0.13

rubyonrailsruby_on_railsMatch4.0.13rc1

rubyonrailsruby_on_railsMatch4.1.11

CPENameOperatorVersion
rubyonrails:railsrubyonrails railseq4.0.0
rubyonrails:railsrubyonrails railseq4.0.1
rubyonrails:railsrubyonrails railseq4.0.2
rubyonrails:railsrubyonrails railseq4.0.3
rubyonrails:railsrubyonrails railseq4.0.4
rubyonrails:railsrubyonrails railseq4.0.5
rubyonrails:railsrubyonrails railseq4.0.6
rubyonrails:railsrubyonrails railseq4.0.7
rubyonrails:railsrubyonrails railseq4.0.8
rubyonrails:railsrubyonrails railseq4.0.9

CPE	Name	Operator	Version
rubyonrails:rails	rubyonrails rails	eq	4.0.0
rubyonrails:rails	rubyonrails rails	eq	4.0.1
rubyonrails:rails	rubyonrails rails	eq	4.0.2
rubyonrails:rails	rubyonrails rails	eq	4.0.3
rubyonrails:rails	rubyonrails rails	eq	4.0.4
rubyonrails:rails	rubyonrails rails	eq	4.0.5
rubyonrails:rails	rubyonrails rails	eq	4.0.6
rubyonrails:rails	rubyonrails rails	eq	4.0.7
rubyonrails:rails	rubyonrails rails	eq	4.0.8
rubyonrails:rails	rubyonrails rails	eq	4.0.9