CVE-2015-7577Improper Access Control in Project Activerecord

CWE-284Improper Access Control10 documents8 sources
Severity
5.3MEDIUMNVD
EPSS
1.2%
top 20.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Rubyonrails RailsActiverecord Project ActiverecordRubyonrails Ruby ON Rails
Timeline
PublishedFeb 16
Latest updateOct 24

Description

activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

RubyGemsactiverecord_project/activerecord3.1.03.2.22.1+3
Debianrubyonrails/rails< 2:4.2.5.1-1+3
NVDrubyonrails/rails33 versions+32

🔴Vulnerability Details

4
OSV
Active Record Improper Access Control2017-10-24
GHSA
Active Record Improper Access Control2017-10-24
CVEList
CVE-2015-7577: activerecord/lib/active_record/nested_attributes2016-02-16
OSV
CVE-2015-7577: activerecord/lib/active_record/nested_attributes2016-02-16

📋Vendor Advisories

2
Red Hat
rubygem-activerecord: Nested attributes rejection proc bypass in Active Record2016-01-25
Debian
CVE-2015-7577: rails - activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on ...2015

💬Community

3
HackerOne
Nested attributes reject_if proc can be circumvented by providing "_destroy" parameter2016-02-12
Bugzilla
CVE-2015-7577 rubygem-activerecord: rubygem-activerecord: Nested attributes rejection proc bypass in Active Record [fedora-all]2016-01-26
Bugzilla
CVE-2015-7577 rubygem-activerecord: Nested attributes rejection proc bypass in Active Record2016-01-26
CVE-2015-7577 — Improper Access Control | cvebase