GHSA-543v-gj2c-r3ch

Source

https://github.com/advisories/GHSA-543v-gj2c-r3ch

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-543v-gj2c-r3ch/GHSA-543v-gj2c-r3ch.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-543v-gj2c-r3ch

Aliases

CVE-2016-0753

Published

2017-10-24T18:33:35Z

Modified

2023-11-12T05:20:24.690044Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

activemodel contains Improper Input Validation

Details

Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.

References

Affected packages

RubyGems / activemodel

Package

Name: activemodel
Purl: pkg:gem/activemodel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.1.0

Fixed

4.1.14.1

Affected versions

4.*

4.1.0

4.1.1

4.1.2.rc1

4.1.2.rc2

4.1.2.rc3

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6.rc1

4.1.6.rc2

4.1.6

4.1.7

4.1.7.1

4.1.8

4.1.9.rc1

4.1.9

4.1.10.rc1

4.1.10.rc2

4.1.10.rc3

4.1.10.rc4

4.1.10

4.1.11

4.1.12.rc1

4.1.12

4.1.13.rc1

4.1.13

4.1.14.rc1

4.1.14.rc2

4.1.14

Database specific

{
    "last_known_affected_version_range": "<= 4.1.14.0"
}

RubyGems / activemodel

Package

Name: activemodel
Purl: pkg:gem/activemodel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.2.0

Fixed

4.2.5.1

Affected versions

4.*

4.2.0

4.2.1.rc1

4.2.1.rc2

4.2.1.rc3

4.2.1.rc4

4.2.1

4.2.2

4.2.3.rc1

4.2.3

4.2.4.rc1

4.2.4

4.2.5.rc1

4.2.5.rc2

4.2.5

Database specific

{
    "last_known_affected_version_range": "<= 4.2.5.0"
}