CVE-2016-0753
rubygem-activerecord: possible input validation circumvention in Active Model
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.
Active Model en Ruby on Rails 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 soporta el uso de los escritores a nivel de instancia para descriptores de acceso de clase, lo que permite a atacantes remotos eludir los pasos destinados a la validación a través de parámetros manipulados.
A flaw was found in the way the Active Model based models processed attributes. An attacker with the ability to pass arbitrary attributes to models could possibly use this flaw to bypass input validation.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2015-12-16 CVE Reserved
- 2016-02-01 CVE Published
- 2024-05-18 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (15)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2016/01/25/14 | Mailing List |
|
| http://www.securityfocus.com/bid/82247 | Broken Link | |
| http://www.securitytracker.com/id/1034816 | Broken Link | |
| https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ | Broken Link |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | >= 4.1.0 < 4.1.14.1 Search vendor "Rubyonrails" for product "Rails" and version " >= 4.1.0 < 4.1.14.1" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | >= 4.2.0 < 4.2.5.1 Search vendor "Rubyonrails" for product "Rails" and version " >= 4.2.0 < 4.2.5.1" | - |
Affected
| ||||||
| Rubyonrails Search vendor "Rubyonrails" | Rails Search vendor "Rubyonrails" for product "Rails" | 5.0.0 Search vendor "Rubyonrails" for product "Rails" and version "5.0.0" | beta1 |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 22 Search vendor "Fedoraproject" for product "Fedora" and version "22" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 23 Search vendor "Fedoraproject" for product "Fedora" and version "23" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 42.1 Search vendor "Opensuse" for product "Leap" and version "42.1" | - |
Affected
| ||||||