Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneBackusH1:108723
HistoryJan 06, 2016 - 8:34 a.m.

Ruby on Rails: Validation bypass for Active Record and Active Model

2016-01-0608:34:00
backus
hackerone.com
27

0.006 Low

EPSS

Percentile

78.8%

JSON

Possible Input Validation Circumvention in Active Model

There is a possible input validation circumvention vulnerability in Active
Model. This vulnerability has been assigned the CVE identifier CVE-2016-0753.

Versions Affected: 4.1.0 and newer
Not affected: 4.0.13 and older
Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1

Impact

Code that uses Active Model based models (including Active Record models) and
does not validate user input before passing it to the model can be subject to
an attack where specially crafted input will cause the model to skip
validations.

Vulnerable code will look something like this:

SomeModel.new(unverified_user_input)

Rails users using Strong Parameters are generally not impacted by this issue
as they are encouraged to whitelist parameters and must specifically opt-out
of input verification using the permit! method to allow mass assignment.

For example, a vulnerable Rails application will have code that looks like
this:

def create
  params.permit! # allow all parameters
  @user = User.new params[:users]
end

Active Model and Active Record objects are not equipped to handle arbitrary
user input. It is up to the application to verify input before passing it to
Active Model models. Rails users already have Strong Parameters in place to
handle white listing, but applications using Active Model and Active Record
outside of a Rails environment may be impacted.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

There are several workarounds depending on the application. Inside a Rails
application, stop using permit!. Outside a Rails application, either use
Hash#slice to select the parameters you need, or integrate Strong Parameters
with your application.

Patches

To aid users who aren’t able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

  • 4-1-validation_skip.patch - Patch for 4.1 series
  • 4-2-validation_skip.patch - Patch for 4.2 series
  • 5-0-validation_skip.patch - Patch for 5.0 series

Please note that only the 4.1.x and 4.2.x series are supported at present. Users
of earlier unsupported releases are advised to upgrade as soon as possible as we
cannot guarantee the continued availability of security fixes for unsupported
releases.

Credits

Thanks to:

John Backus from BlockScore for reporting this!

Related

debian 4
openvas 11
nvd 1
github 1
debiancve 1
cvelist 1
ubuntucve 1
nessus 11
fedora 6
osv 2
prion 1
cve 1
gitlab 1
rubygems 1
redhat 1
freebsd 1
ibm 1
suse 1
debian
debian
[SECURITY] [DLA 641-1] ruby-activesupport-3.2 security update
2016-09-30 13:19:36
[SECURITY] [DLA 498-1] ruby-activemodel-3.2 security update
2016-05-31 17:22:59
[SECURITY] [DLA 642-1] ruby-activerecord-3.2 security update
2016-09-30 16:30:28
openvas
openvas
Ruby on Rails Acrive Model Security Bypass Vulnerability - Linux
2016-10-17 00:00:00
Debian: Security Advisory (DLA-498-1)
2023-03-08 00:00:00
Debian: Security Advisory (DLA-641-1)
2023-03-08 00:00:00
nvd
nvd
CVE-2016-0753
2016-02-16 02:59:07
github
github
activemodel contains Improper Input Validation
2017-10-24 18:33:35
debiancve
debiancve
CVE-2016-0753
2016-02-16 02:59:07
cvelist
cvelist
CVE-2016-0753
2016-02-16 02:00:00
ubuntucve
ubuntucve
CVE-2016-0753
2016-02-16 00:00:00
nessus
nessus
Debian DLA-498-1 : ruby-activemodel-3.2 security update
2016-06-01 00:00:00
Debian DLA-642-1 : ruby-activerecord-3.2 security update
2016-10-04 00:00:00
Fedora 23 : rubygem-activemodel-4.2.3-2.fc23 (2016-eb4d6e8aab)
2016-03-04 00:00:00
fedora
fedora
[SECURITY] Fedora 23 Update: rubygem-activemodel-4.2.3-2.fc23
2016-02-28 12:29:07
[SECURITY] Fedora 23 Update: rubygem-activerecord-4.2.3-2.fc23
2016-02-28 12:28:49
[SECURITY] Fedora 22 Update: rubygem-activesupport-4.2.0-4.fc22
2016-02-28 08:31:16
osv
osv
activemodel contains Improper Input Validation
2017-10-24 18:33:35
ruby-activemodel-3.2 - security update
2016-05-31 00:00:00
prion
prion
Design/Logic Flaw
2016-02-16 02:59:00
cve
cve
CVE-2016-0753
2016-02-16 02:59:07
gitlab
gitlab
Possible Input Validation Circumvention
2016-02-15 00:00:00
rubygems
rubygems
Possible Input Validation Circumvention in Active Model
2016-01-24 21:00:00
redhat
redhat
(RHSA-2016:0296) Important: rh-ror41 security update
2016-02-24 00:00:00
freebsd
freebsd
rails -- multiple vulnerabilities
2016-01-25 00:00:00
ibm
ibm
Security Bulletin: Vulnerabilities in Ruby on Rails affect IBM License Metric Tool v9, IBM BigFix Inventory v9 and IBM Endpoint Manager for Software Use Analysis v9 & v2.2
2021-04-26 21:17:25
suse
suse
Security update for portus (important)
2016-04-25 20:07:56

0.006 Low

EPSS

Percentile

78.8%

JSON
Related for H1:108723
debian4openvas11nvd1github1debiancve1cvelist1ubuntucve1nessus11fedora6osv2prion1cve1gitlab1rubygems1redhat1freebsd1ibm1suse1