Lucene search

GitHub Advisory DatabaseGHSA-GJXW-5W2Q-7GRF

HistoryOct 24, 2017 - 6:33 p.m.

Rails activerecord gem has Improper Input Validation vulnerability

2017-10-2418:33:38

CWE-20

GitHub Advisory Database

github.com

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

EPSS

0.004

Percentile

73.1%

JSON

Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.

Affected configurations

Vulners

Node

activerecord_projectactiverecordRange3.0.0–3.0.1ruby

activerecord_projectactiverecordRange2.3.9–2.3.10ruby

VendorProductVersionCPE
activerecord_projectactiverecord*cpe:2.3:a:activerecord_project:activerecord:*:*:*:*:*:ruby:*:*

Vendor	Product	Version	CPE
activerecord_project	activerecord	*	cpe:2.3:a:activerecord_project:activerecord::::::ruby::*

References

weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0

github.com/advisories/GHSA-gjxw-5w2q-7grf

github.com/rails/rails/commit/2d96bccb1e8b62e3e11ca0c5d38aaa8cece889ae

github.com/rails/rails/commit/96183e0f284bab27667e5a38fa6a1578eb029585

github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2010-3933.yml

nvd.nist.gov/vuln/detail/CVE-2010-3933

web.archive.org/web/20101129225633/securitytracker.com/alerts/2010/Oct/1024624.html

web.archive.org/web/20111225083933/secunia.com/advisories/41930

web.archive.org/web/20201208053819/securitytracker.com/id?1024624

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

EPSS

0.004

Percentile

73.1%

JSON

Related for GHSA-GJXW-5W2Q-7GRF