CVE-2010-3933 — Improper Input Validation in Rails

CWE-20 — Improper Input Validation6 documents6 sources

Severity

6.4MEDIUMNVD

EPSS

0.7%

top 27.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Activerecord Project Activerecord Rubyonrails Rails

Timeline

PublishedOct 28

Latest updateOct 24

Description

Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.

CVSS vector

AV:N/AC:L/C:N/I:P/A:PExploitability: 10.0 | Impact: 4.9

Affected Packages2 packages

▶NVDrubyonrails/rails2.3.9, 3.0.0+1

▶RubyGemsactiverecord_project/activerecord2.3.9 — 2.3.10+1

🔴Vulnerability Details

GHSA

Rails activerecord gem has Improper Input Validation vulnerability↗2017-10-24

▶

OSV

Rails activerecord gem has Improper Input Validation vulnerability↗2017-10-24

▶

CVEList

CVE-2010-3933: Ruby on Rails 2↗2010-10-27

▶

📋Vendor Advisories

Debian

CVE-2010-3933: rails - Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which ...↗2010

▶

💬Community

Bugzilla

CVE-2010-3933 rubygem-activerecord: Improper nested attributes management↗2011-10-10

▶