445
VMScore

CVE-2015-7577

Published: 16/02/2016 Updated: 08/08/2019
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 5.3 | Impact Score: 1.4 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Vulnerability Summary

activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x prior to 3.2.22.1, 4.0.x and 4.1.x prior to 4.1.14.1, 4.2.x prior to 4.2.5.1, and 5.x prior to 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote malicious users to bypass intended change restrictions by leveraging use of the nested attributes feature.

Affected Products

Vendor Product Versions
RubyonrailsRails4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.7.1, 4.1.8, 4.1.9, 4.1.10, 4.1.12, 4.1.13, 4.1.14, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 5.0.0
RubyonrailsRuby On Rails3.2.22, 4.0.10, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13, 4.1.11

Vendor Advisories

A flaw was found in the Active Record component's handling of nested attributes in combination with the destroy flag An attacker could possibly use this flaw to set attributes to invalid values or clear all attributes ...
Debian Bug report logs - #790487 rails: CVE-2015-3227: Possible Denial of Service attack in Active Support Package: src:rails; Maintainer for src:rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 29 Jun 2015 1 ...
Debian Bug report logs - #790486 rails: CVE-2015-3226: XSS in ActiveSupport::JSONencode Package: src:rails; Maintainer for src:rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 29 Jun 2015 18:36:01 UTC Sever ...
Multiple security issues have been discovered in the Ruby on Rails web application development framework, which may result in denial of service, cross-site scripting, information disclosure or bypass of input validation For the stable distribution (jessie), these problems have been fixed in version 2:418-1+deb8u1 For the unstable distribution ( ...