Описание
activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.
A flaw was found in the Active Record component's handling of nested attributes in combination with the destroy flag. An attacker could possibly use this flaw to set attributes to invalid values or clear all attributes.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| CloudForms Management Engine 5.2 | ruby193-rubygem-activerecord | Affected | ||
| CloudForms Management Engine 5.3 | ruby193-rubygem-activerecord | Affected | ||
| OpenStack Foreman | ruby193-rubygem-activerecord | Will not fix | ||
| Red Hat Subscription Asset Manager | ruby193-rubygem-activerecord | Will not fix | ||
| Red Hat Subscription Asset Manager | rubygem-activerecord | Not affected | ||
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | rh-ror41-rubygem-actionpack | Fixed | RHSA-2016:0296 | 24.02.2016 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | rh-ror41-rubygem-actionview | Fixed | RHSA-2016:0296 | 24.02.2016 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | rh-ror41-rubygem-activemodel | Fixed | RHSA-2016:0296 | 24.02.2016 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | rh-ror41-rubygem-activerecord | Fixed | RHSA-2016:0296 | 24.02.2016 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | rh-ror41-rubygem-activesupport | Fixed | RHSA-2016:0296 | 24.02.2016 |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
4.3 Medium
CVSS2
Связанные уязвимости
activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.
activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.
activerecord/lib/active_record/nested_attributes.rb in Active Record i ...
EPSS
4.3 Medium
CVSS2