A flaw was found in the way the Active Model based models processed attributes. An attacker with the ability to pass arbitrary attributes to models could possibly use this flaw to bypass input validation.
Find out more about CVE-2016-0753 from the MITRE CVE dictionary dictionary and NIST NVD.
| Base Score | 4.3 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:N/I:P/A:N |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | None |
| Integrity Impact | Partial |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RHSA-2016:0296 | 2016-02-24 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | RHSA-2016:0296 | 2016-02-24 |
| Platform | Package | State |
|---|---|---|
| Red Hat Subscription Asset Manager 1 | ruby193-rubygem-activerecord | Not affected |
| Red Hat Subscription Asset Manager 1 | ruby193-rubygem-activemodel | Not affected |
| Red Hat Subscription Asset Manager 1 | rubygem-activerecord | Not affected |
| Red Hat Subscription Asset Manager 1 | rubygem-activemodel | Not affected |
Do not allow arbitrary attributes to be passed to models. In Rails with Strong Parameters, make sure to not call permit! method, which bypasses strong parameters protections. Outside of rails, use whitelisting to filter only allowed attributes before passing them to models.
Vulmon