CVE-2013-0276 — Improper Access Control in Project Activerecord

CWE-264 CWE-284 — Improper Access Control10 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

0.6%

top 30.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubyonrails Rails Activerecord Project Activerecord

Timeline

PublishedFeb 13

Latest updateOct 24

Description

ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶Debianrubyonrails/rails< 2.3.14.1+3

▶NVDrubyonrails/rails36 versions+35

▶RubyGemsactiverecord_project/activerecord3.1.0 — 3.1.11+2

Patches

Patch: www.openwall.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

OSV

ActiveRecord vulnerable to modification of protected model attributes↗2017-10-24

▶

GHSA

ActiveRecord vulnerable to modification of protected model attributes↗2017-10-24

▶

CVEList

CVE-2013-0276: ActiveRecord in Ruby on Rails before 2↗2013-02-13

▶

OSV

CVE-2013-0276: ActiveRecord in Ruby on Rails before 2↗2013-02-13

▶

📋Vendor Advisories

Red Hat

rubygem-activerecord/rubygem-activemodel: circumvention of attr_protected↗2013-02-11

▶

Debian

CVE-2013-0276: rails - ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x befo...↗2013

▶

💬Community

Bugzilla

CVE-2013-0276 rubygem-activerecord/rubygem-activemodel: circumvention of attr_protected [fedora-all]↗2013-04-05

▶

Bugzilla

CVE-2013-0276 rubygem-activerecord/rubygem-activemodel: circumvention of attr_protected [epel-5]↗2013-04-05

▶

Bugzilla

CVE-2013-0276 rubygem-activerecord/rubygem-activemodel: circumvention of attr_protected↗2013-02-09

▶