CVE-2016-0753
A flaw was found in the way the Active Model based models processed attributes. An attacker with the ability to pass arbitrary attributes to models could possibly use this flaw to bypass input validation.
Find out more about CVE-2016-0753 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v2 metrics
| Base Score | 4.3 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:N/I:P/A:N |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | None |
| Integrity Impact | Partial |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RHSA-2016:0296 | 2016-02-24 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | RHSA-2016:0296 | 2016-02-24 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Subscription Asset Manager 1 | ruby193-rubygem-activerecord | Not affected |
| Red Hat Subscription Asset Manager 1 | ruby193-rubygem-activemodel | Not affected |
| Red Hat Subscription Asset Manager 1 | rubygem-activerecord | Not affected |
| Red Hat Subscription Asset Manager 1 | rubygem-activemodel | Not affected |
Acknowledgements
Red Hat would like to thank Ruby on Rails project for reporting this issue. Upstream acknowledges John Backus from BlockScore as the original reporter.Mitigation
Do not allow arbitrary attributes to be passed to models. In Rails with Strong Parameters, make sure to not call permit! method, which bypasses strong parameters protections. Outside of rails, use whitelisting to filter only allowed attributes before passing them to models.