Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2016-0753

Опубликовано: 25 янв. 2016
Источник: redhat
CVSS2: 4.3
EPSS Низкий

Описание

Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.

A flaw was found in the way the Active Model based models processed attributes. An attacker with the ability to pass arbitrary attributes to models could possibly use this flaw to bypass input validation.

Меры по смягчению последствий

Do not allow arbitrary attributes to be passed to models. In Rails with Strong Parameters, make sure to not call permit! method, which bypasses strong parameters protections. Outside of rails, use whitelisting to filter only allowed attributes before passing them to models.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
CloudForms Management Engine 5.2ruby193-rubygem-activemodelNot affected
CloudForms Management Engine 5.2ruby193-rubygem-activerecordNot affected
CloudForms Management Engine 5.3ruby193-rubygem-activemodelNot affected
CloudForms Management Engine 5.3ruby193-rubygem-activerecordNot affected
OpenStack Foremanruby193-rubygem-activerecordNot affected
Red Hat Software Collectionsror40-rubygem-activemodelNot affected
Red Hat Software Collectionsror40-rubygem-activerecordNot affected
Red Hat Software Collectionsruby193-rubygem-activemodelNot affected
Red Hat Software Collectionsruby193-rubygem-activerecordNot affected
Red Hat Subscription Asset Managerruby193-rubygem-activemodelNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-20
https://bugzilla.redhat.com/show_bug.cgi?id=1301973rubygem-activerecord: possible input validation circumvention in Active Model

EPSS

Процентиль: 84%
0.02328
Низкий

4.3 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2016-0753

CVSS3: 5.3
ubuntu
почти 10 лет назад

Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.

nvd логотип

CVE-2016-0753

CVSS3: 5.3
nvd
почти 10 лет назад

Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.

debian логотип

CVE-2016-0753

CVSS3: 5.3
debian
почти 10 лет назад

Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2. ...

github логотип

GHSA-543v-gj2c-r3ch

CVSS3: 5.3
github
больше 8 лет назад

activemodel contains Improper Input Validation

fstec логотип

BDU:2016-00664

fstec
почти 10 лет назад

Уязвимость программной платформы Ruby on Rails, позволяющая нарушителю обойти механизм проверки правильности данных

EPSS

Процентиль: 84%
0.02328
Низкий

4.3 Medium

CVSS2