Security Vulnerability in Nested Attributes code in Ruby On Rails 2.3.9 and 3.0.0
Published: October 24, 2017
SECURITY IDENTIFIERS
- CVE: CVE-2010-3933 (NVD)
- GHSA: GHSA-gjxw-5w2q-7grf
- Vendor Advisory: http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0
GEM
FRAMEWORK
SEVERITY
CVSS v2.0: 6.4 (Medium)
UNAFFECTED VERSIONS
< 2.3.9
PATCHED VERSIONS
~> 2.3.9
>= 3.0.1
DESCRIPTION
Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.
Patches are available for 2.3 and 3.0 series.
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2010-3933
- http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0
- https://github.com/advisories/GHSA-gjxw-5w2q-7grf
- https://web.archive.org/web/20111225083933/http://secunia.com/advisories/41930
- https://web.archive.org/web/20201208053819/http://securitytracker.com/id?1024624