Action not permitted
Modal body text goes here.
Modal Title
Modal Body
GHSA-543v-gj2c-r3ch
Vulnerability from github
Published
2017-10-24 18:33
Modified
2023-06-30 21:32
Severity ?
Summary
activemodel contains Improper Input Validation
Details
Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.1.14.0"
},
"package": {
"ecosystem": "RubyGems",
"name": "activemodel"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.1.14.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.2.5.0"
},
"package": {
"ecosystem": "RubyGems",
"name": "activemodel"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0"
},
{
"fixed": "4.2.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-0753"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T20:59:56Z",
"nvd_published_at": "2016-02-16T02:59:07Z",
"severity": "MODERATE"
},
"details": "Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.",
"id": "GHSA-543v-gj2c-r3ch",
"modified": "2023-06-30T21:32:03Z",
"published": "2017-10-24T18:33:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0753"
},
{
"type": "PACKAGE",
"url": "https://github.com/rails/rails"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activemodel/CVE-2016-0753.yml"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20160405205300/http://www.securitytracker.com/id/1034816"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200228000230/http://www.securityfocus.com/bid/82247"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20210613054843/https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178066.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "activemodel contains Improper Input Validation"
}
gsd-2016-0753
Vulnerability from gsd
Modified
2016-01-25 00:00
Details
There is a possible input validation circumvention vulnerability in Active
Model. This vulnerability has been assigned the CVE identifier CVE-2016-0753.
Versions Affected: 4.1.0 and newer
Not affected: 4.0.13 and older
Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1
Impact
------
Code that uses Active Model based models (including Active Record models) and
does not validate user input before passing it to the model can be subject to
an attack where specially crafted input will cause the model to skip
validations.
Vulnerable code will look something like this:
```ruby
SomeModel.new(unverified_user_input)
```
Rails users using Strong Parameters are generally not impacted by this issue
as they are encouraged to whitelist parameters and must specifically opt-out
of input verification using the `permit!` method to allow mass assignment.
For example, a vulnerable Rails application will have code that looks like
this:
```ruby
def create
params.permit! # allow all parameters
@user = User.new params[:users]
end
```
Active Model and Active Record objects are not equipped to handle arbitrary
user input. It is up to the application to verify input before passing it to
Active Model models. Rails users already have Strong Parameters in place to
handle white listing, but applications using Active Model and Active Record
outside of a Rails environment may be impacted.
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Releases
--------
The FIXED releases are available at the normal locations.
Workarounds
-----------
There are several workarounds depending on the application. Inside a Rails
application, stop using `permit!`. Outside a Rails application, either use
Hash#slice to select the parameters you need, or integrate Strong Parameters
with your application.
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
* 4-1-validation_skip.patch - Patch for 4.1 series
* 4-2-validation_skip.patch - Patch for 4.2 series
* 5-0-validation_skip.patch - Patch for 5.0 series
Please note that only the 4.1.x and 4.2.x series are supported at present. Users
of earlier unsupported releases are advised to upgrade as soon as possible as we
cannot guarantee the continued availability of security fixes for unsupported
releases.
Credits
-------
Thanks to:
[John Backus](https://github.com/backus) from BlockScore for reporting this!
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2016-0753",
"description": "Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.",
"id": "GSD-2016-0753",
"references": [
"https://www.suse.com/security/cve/CVE-2016-0753.html",
"https://www.debian.org/security/2016/dsa-3464",
"https://access.redhat.com/errata/RHSA-2016:0296"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "activemodel",
"purl": "pkg:gem/activemodel"
}
}
],
"aliases": [
"CVE-2016-0753",
"GHSA-543v-gj2c-r3ch"
],
"details": "There is a possible input validation circumvention vulnerability in Active\nModel. This vulnerability has been assigned the CVE identifier CVE-2016-0753.\n\nVersions Affected: 4.1.0 and newer\nNot affected: 4.0.13 and older\nFixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1\n\nImpact\n------\nCode that uses Active Model based models (including Active Record models) and\ndoes not validate user input before passing it to the model can be subject to\nan attack where specially crafted input will cause the model to skip\nvalidations.\n\nVulnerable code will look something like this:\n\n```ruby\nSomeModel.new(unverified_user_input)\n```\n\nRails users using Strong Parameters are generally not impacted by this issue\nas they are encouraged to whitelist parameters and must specifically opt-out\nof input verification using the `permit!` method to allow mass assignment.\n\nFor example, a vulnerable Rails application will have code that looks like\nthis:\n\n```ruby\ndef create\n params.permit! # allow all parameters\n @user = User.new params[:users]\nend\n```\n\nActive Model and Active Record objects are not equipped to handle arbitrary\nuser input. It is up to the application to verify input before passing it to\nActive Model models. Rails users already have Strong Parameters in place to\nhandle white listing, but applications using Active Model and Active Record\noutside of a Rails environment may be impacted.\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\nReleases\n--------\nThe FIXED releases are available at the normal locations.\n\nWorkarounds\n-----------\nThere are several workarounds depending on the application. Inside a Rails\napplication, stop using `permit!`. Outside a Rails application, either use\nHash#slice to select the parameters you need, or integrate Strong Parameters\nwith your application.\n\nPatches\n-------\nTo aid users who aren\u0027t able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n* 4-1-validation_skip.patch - Patch for 4.1 series\n* 4-2-validation_skip.patch - Patch for 4.2 series\n* 5-0-validation_skip.patch - Patch for 5.0 series\n\nPlease note that only the 4.1.x and 4.2.x series are supported at present. Users\nof earlier unsupported releases are advised to upgrade as soon as possible as we\ncannot guarantee the continued availability of security fixes for unsupported\nreleases.\n\nCredits\n-------\nThanks to:\n\n[John Backus](https://github.com/backus) from BlockScore for reporting this!\n",
"id": "GSD-2016-0753",
"modified": "2016-01-25T00:00:00.000Z",
"published": "2016-01-25T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 5.0,
"type": "CVSS_V2"
},
{
"score": 5.3,
"type": "CVSS_V3"
}
],
"summary": "Possible Input Validation Circumvention in Active Model"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2016-0753",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20160125 [CVE-2016-0753] Possible Input Validation Circumvention in Active Model",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/14"
},
{
"name": "[ruby-security-ann] 20160125 [CVE-2016-0753] Possible Input Validation Circumvention in Active Model",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ"
},
{
"name": "openSUSE-SU-2016:0372",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"name": "FEDORA-2016-94e71ee673",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
},
{
"name": "FEDORA-2016-73fe05d878",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"
},
{
"name": "FEDORA-2016-cc465a34df",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"
},
{
"name": "SUSE-SU-2016:1146",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "1034816",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"name": "DSA-3464",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"name": "RHSA-2016:0296",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"name": "FEDORA-2016-eb4d6e8aab",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178066.html"
},
{
"name": "FEDORA-2016-cb30088b06",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
},
{
"name": "82247",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/82247"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2016-0753",
"cvss_v2": 5.0,
"cvss_v3": 5.3,
"date": "2016-01-25",
"description": "There is a possible input validation circumvention vulnerability in Active\nModel. This vulnerability has been assigned the CVE identifier CVE-2016-0753.\n\nVersions Affected: 4.1.0 and newer\nNot affected: 4.0.13 and older\nFixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1\n\nImpact\n------\nCode that uses Active Model based models (including Active Record models) and\ndoes not validate user input before passing it to the model can be subject to\nan attack where specially crafted input will cause the model to skip\nvalidations.\n\nVulnerable code will look something like this:\n\n```ruby\nSomeModel.new(unverified_user_input)\n```\n\nRails users using Strong Parameters are generally not impacted by this issue\nas they are encouraged to whitelist parameters and must specifically opt-out\nof input verification using the `permit!` method to allow mass assignment.\n\nFor example, a vulnerable Rails application will have code that looks like\nthis:\n\n```ruby\ndef create\n params.permit! # allow all parameters\n @user = User.new params[:users]\nend\n```\n\nActive Model and Active Record objects are not equipped to handle arbitrary\nuser input. It is up to the application to verify input before passing it to\nActive Model models. Rails users already have Strong Parameters in place to\nhandle white listing, but applications using Active Model and Active Record\noutside of a Rails environment may be impacted.\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\nReleases\n--------\nThe FIXED releases are available at the normal locations.\n\nWorkarounds\n-----------\nThere are several workarounds depending on the application. Inside a Rails\napplication, stop using `permit!`. Outside a Rails application, either use\nHash#slice to select the parameters you need, or integrate Strong Parameters\nwith your application.\n\nPatches\n-------\nTo aid users who aren\u0027t able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n* 4-1-validation_skip.patch - Patch for 4.1 series\n* 4-2-validation_skip.patch - Patch for 4.2 series\n* 5-0-validation_skip.patch - Patch for 5.0 series\n\nPlease note that only the 4.1.x and 4.2.x series are supported at present. Users\nof earlier unsupported releases are advised to upgrade as soon as possible as we\ncannot guarantee the continued availability of security fixes for unsupported\nreleases.\n\nCredits\n-------\nThanks to:\n\n[John Backus](https://github.com/backus) from BlockScore for reporting this!\n",
"framework": "rails",
"gem": "activemodel",
"ghsa": "543v-gj2c-r3ch",
"patched_versions": [
"\u003e= 5.0.0.beta1.1",
"~\u003e 4.2.5, \u003e= 4.2.5.1",
"~\u003e 4.1.14, \u003e= 4.1.14.1"
],
"title": "Possible Input Validation Circumvention in Active Model",
"unaffected_versions": [
"\u003c= 4.0.13"
],
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=5.0.0.alpha \u003c5.0.0.beta1.1||\u003e=4.2.0.alpha \u003c4.2.5.1||\u003e=4.1.0.alpha \u003c4.1.14.1",
"affected_versions": "All versions starting from 5.0.0.alpha before 5.0.0.beta1.1, all versions starting from 4.2.0.alpha before 4.2.5.1, all versions starting from 4.1.0.alpha before 4.1.14.1",
"credit": "John Backus",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-20",
"CWE-937"
],
"date": "2019-08-08",
"description": "Code that uses Active Model based models (including Active Record models) and does not validate user input before passing it to the model can be subject to an attack where specially crafted input will cause the model to skip validations. Rails users using Strong Parameters are generally not impacted by this issue as they are encouraged to allow parameters and must specifically opt-out of input verification using the `permit!` method to allow mass assignment. ",
"fixed_versions": [
"4.1.14.1",
"4.2.5.1",
"5.0.0.beta1.1"
],
"identifier": "CVE-2016-0753",
"identifiers": [
"CVE-2016-0753"
],
"not_impacted": "4.0.x and older",
"package_slug": "gem/activemodel",
"pubdate": "2016-02-15",
"solution": "Upgrade to latest, apply patches or use workaround. See provided link.",
"title": "Possible Input Validation Circumvention",
"urls": [
"https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ"
],
"uuid": "14fff4ba-142e-4bfc-ba9c-3c6c497218a3"
},
{
"affected_range": "\u003e=4.0.0 \u003c=5.0.0",
"affected_versions": "All versions starting from 4.0.0 up to 5.0.0",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-20",
"CWE-937"
],
"date": "2019-08-08",
"description": "The Rails gem supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.",
"fixed_versions": [
"5.0.1"
],
"identifier": "CVE-2016-0753",
"identifiers": [
"CVE-2016-0753"
],
"not_impacted": "All versions before 4.0.0, all versions after 5.0.0",
"package_slug": "gem/rails",
"pubdate": "2016-02-16",
"solution": "Upgrade to versions 5.0.1 or above.",
"title": "Improper Input Validation",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2016-0753"
],
"uuid": "dbb908e7-6b6d-4769-ba23-b4451562c77d"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.1.14.1",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.2.5.1",
"versionStartIncluding": "4.2.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2016-0753"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[ruby-security-ann] 20160125 [CVE-2016-0753] Possible Input Validation Circumvention in Active Model",
"refsource": "MLIST",
"tags": [
"Broken Link"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ"
},
{
"name": "[oss-security] 20160125 [CVE-2016-0753] Possible Input Validation Circumvention in Active Model",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/14"
},
{
"name": "82247",
"refsource": "BID",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/82247"
},
{
"name": "FEDORA-2016-73fe05d878",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"
},
{
"name": "SUSE-SU-2016:1146",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "FEDORA-2016-94e71ee673",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
},
{
"name": "FEDORA-2016-cb30088b06",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
},
{
"name": "RHSA-2016:0296",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"name": "FEDORA-2016-cc465a34df",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"
},
{
"name": "FEDORA-2016-eb4d6e8aab",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178066.html"
},
{
"name": "openSUSE-SU-2016:0372",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"name": "DSA-3464",
"refsource": "DEBIAN",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"name": "1034816",
"refsource": "SECTRACK",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1034816"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM"
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4
}
},
"lastModifiedDate": "2023-05-19T16:36Z",
"publishedDate": "2016-02-16T02:59Z"
}
}
}
cve-2016-0753
Vulnerability from cvelistv5
Published
2016-02-16 02:00
Modified
2024-08-05 22:30
Severity ?
EPSS score ?
Summary
Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:30:04.636Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20160125 [CVE-2016-0753] Possible Input Validation Circumvention in Active Model",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/14"
},
{
"name": "[ruby-security-ann] 20160125 [CVE-2016-0753] Possible Input Validation Circumvention in Active Model",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ"
},
{
"name": "openSUSE-SU-2016:0372",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"name": "FEDORA-2016-94e71ee673",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
},
{
"name": "FEDORA-2016-73fe05d878",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"
},
{
"name": "FEDORA-2016-cc465a34df",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"
},
{
"name": "SUSE-SU-2016:1146",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "1034816",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1034816"
},
{
"name": "DSA-3464",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"name": "RHSA-2016:0296",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"name": "FEDORA-2016-eb4d6e8aab",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178066.html"
},
{
"name": "FEDORA-2016-cb30088b06",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
},
{
"name": "82247",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/82247"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-09T09:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20160125 [CVE-2016-0753] Possible Input Validation Circumvention in Active Model",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/14"
},
{
"name": "[ruby-security-ann] 20160125 [CVE-2016-0753] Possible Input Validation Circumvention in Active Model",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ"
},
{
"name": "openSUSE-SU-2016:0372",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"name": "FEDORA-2016-94e71ee673",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
},
{
"name": "FEDORA-2016-73fe05d878",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"
},
{
"name": "FEDORA-2016-cc465a34df",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"
},
{
"name": "SUSE-SU-2016:1146",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "1034816",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1034816"
},
{
"name": "DSA-3464",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"name": "RHSA-2016:0296",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"name": "FEDORA-2016-eb4d6e8aab",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178066.html"
},
{
"name": "FEDORA-2016-cb30088b06",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
},
{
"name": "82247",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/82247"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2016-0753",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20160125 [CVE-2016-0753] Possible Input Validation Circumvention in Active Model",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/14"
},
{
"name": "[ruby-security-ann] 20160125 [CVE-2016-0753] Possible Input Validation Circumvention in Active Model",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ"
},
{
"name": "openSUSE-SU-2016:0372",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"name": "FEDORA-2016-94e71ee673",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
},
{
"name": "FEDORA-2016-73fe05d878",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"
},
{
"name": "FEDORA-2016-cc465a34df",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"
},
{
"name": "SUSE-SU-2016:1146",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "1034816",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"name": "DSA-3464",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"name": "RHSA-2016:0296",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"name": "FEDORA-2016-eb4d6e8aab",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178066.html"
},
{
"name": "FEDORA-2016-cb30088b06",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
},
{
"name": "82247",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/82247"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2016-0753",
"datePublished": "2016-02-16T02:00:00",
"dateReserved": "2015-12-16T00:00:00",
"dateUpdated": "2024-08-05T22:30:04.636Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.