Описание
ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| ruby-activemodel-3.2 | fixed | 3.2.6-3 | package | |
| ruby-activerecord-2.3 | fixed | 2.3.14-5 | package | |
| rails | fixed | 2.3.14.1 | package |
Примечания
Starting with 2.3.14.1 rails is a transition package
The fix for 3.2 is present in ruby-activemodel-3.2, not ruby-activerecord-3.2
Связанные уязвимости
ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request.
ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request.
ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request.
ActiveRecord vulnerable to modification of protected model attributes