GHSA-xrr6-3pc4-m447

Source

https://github.com/advisories/GHSA-xrr6-3pc4-m447

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-xrr6-3pc4-m447/GHSA-xrr6-3pc4-m447.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xrr6-3pc4-m447

Aliases

CVE-2015-7577

Published

2017-10-24T18:33:36Z

Modified

2024-02-16T08:03:42.644888Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Active Record Improper Access Control

Details

activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-284"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T22:04:28Z"
}

References

Affected packages

RubyGems / activerecord

Package

Name: activerecord
Purl: pkg:gem/activerecord

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.2.22.1

Affected versions

3.*

3.1.0

3.1.1.rc1

3.1.1.rc2

3.1.1.rc3

3.1.1

3.1.2.rc1

3.1.2.rc2

3.1.2

3.1.3

3.1.4.rc1

3.1.4

3.1.5.rc1

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.2.0.rc1

3.2.0.rc2

3.2.0

3.2.1

3.2.2.rc1

3.2.2

3.2.3.rc1

3.2.3.rc2

3.2.3

3.2.4.rc1

3.2.4

3.2.5

3.2.6

3.2.7.rc1

3.2.7

3.2.8.rc1

3.2.8.rc2

3.2.8

3.2.9.rc1

3.2.9.rc2

3.2.9.rc3

3.2.9

3.2.10

3.2.11

3.2.12

3.2.13.rc1

3.2.13.rc2

3.2.13

3.2.14.rc1

3.2.14.rc2

3.2.14

3.2.15.rc1

3.2.15.rc2

3.2.15.rc3

3.2.15

3.2.16

3.2.17

3.2.18

3.2.19

3.2.20

3.2.21

3.2.22

Database specific

{
    "last_known_affected_version_range": "<= 3.2.22.0"
}

RubyGems / activerecord

Package

Name: activerecord
Purl: pkg:gem/activerecord

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.1.14.1

Affected versions

4.*

4.0.0

4.0.1.rc1

4.0.1.rc2

4.0.1.rc3

4.0.1.rc4

4.0.1

4.0.2

4.0.3

4.0.4.rc1

4.0.4

4.0.5

4.0.6.rc1

4.0.6.rc2

4.0.6.rc3

4.0.6

4.0.7

4.0.8

4.0.9

4.0.10.rc1

4.0.10.rc2

4.0.10

4.0.11

4.0.11.1

4.0.12

4.0.13.rc1

4.0.13

4.1.0.beta1

4.1.0.beta2

4.1.0.rc1

4.1.0.rc2

4.1.0

4.1.1

4.1.2.rc1

4.1.2.rc2

4.1.2.rc3

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6.rc1

4.1.6.rc2

4.1.6

4.1.7

4.1.7.1

4.1.8

4.1.9.rc1

4.1.9

4.1.10.rc1

4.1.10.rc2

4.1.10.rc3

4.1.10.rc4

4.1.10

4.1.11

4.1.12.rc1

4.1.12

4.1.13.rc1

4.1.13

4.1.14.rc1

4.1.14.rc2

4.1.14

Database specific

{
    "last_known_affected_version_range": "<= 4.1.14.0"
}

RubyGems / activerecord

Package

Name: activerecord
Purl: pkg:gem/activerecord

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.2.0

Fixed

4.2.5.1

Affected versions

4.*

4.2.0

4.2.1.rc1

4.2.1.rc2

4.2.1.rc3

4.2.1.rc4

4.2.1

4.2.2

4.2.3.rc1

4.2.3

4.2.4.rc1

4.2.4

4.2.5.rc1

4.2.5.rc2

4.2.5

RubyGems / activerecord

Package

Name: activerecord
Purl: pkg:gem/activerecord

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0.beta1

Fixed

5.0.0.beta1.1

Affected versions

5.*

5.0.0.beta1