CVE-2013-0276 – activerecord

Package

Manager: gem
Name: activerecord
Vulnerable Version: >=0 <2.3.17 || >=3.1.0 <3.1.11 || >=3.2.0 <3.2.12

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01439 pctl0.7997

Details

ActiveRecord vulnerable to modification of protected model attributes ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the `attr_protected` protection mechanism and modify protected model attributes via a crafted request.

Metadata

Created: 2017-10-24T18:33:37Z
Modified: 2023-01-23T17:23:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-gr44-7grc-37vq/GHSA-gr44-7grc-37vq.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-gr44-7grc-37vq
Finding: F039
Auto approve: 1