Main Vulnerability Database SB2013041212

SB2013041212 - Permissions, Privileges, and Access Controls in ruby-activerecord (Alpine package)

Published: April 12, 2013

Security Bulletin ID SB2013041212

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-0276)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=80726aa0ce29dacb6bdc34e8e7922c2d3d300dee
https://git.alpinelinux.org/aports/commit/?id=37b5162169d7315e8c849c3cc9c86ac678bbd2c8