RubySec

Providing security resources for the Ruby community

CVE-2013-0276 (activerecord): Ruby on Rails Active Record attr_protected Method Bypass

ADVISORIES

GEM

activerecord

FRAMEWORK

rails

SEVERITY

CVSS v2: 5.0

PATCHED VERSIONS

  • ~> 2.3.17
  • ~> 3.1.11
  • >= 3.2.12

DESCRIPTION

Ruby on Rails contains a flaw in the attr_protected method of the Active Record. The issue is triggered during the handling of a specially crafted request, which may allow a remote attacker to bypass protection mechanisms and alter values that would otherwise be protected.