- There is a vulnerability in the nested attributes handling code in some
- versions of Ruby on Rails. An attacker could manipulate form parameters
- and make changes to records other than those the developer intended.
- This vulnerability has been assigned the identifier CVE-2010-3933.
- Versions Affected: 3.0.0, 2.3.9
- Not affected: Versions earlier than 2.3.9 and applications which
- do not use accepts_nested_attributes_for
- Fixed Versions: 3.0.1, 2.3.10
- Impact
- ------
- An attacker could change parameter names for form inputs and make
- changes to arbitrary records in the system. All users running an
- affected release should upgrade immediately.
- Releases
- --------
- The 3.0.1 and 2.3.10 releases are available at the normal locations.
- The 3.0.1 release consists solely of 3.0.0 with the security issue
- fixed, 3.0.2 will follow shortly and include other bugfixes as well as
- this fix. 2.3.10 is a regular release in the 2.3 series.
- Workarounds
- -----------
- There are no feasible workarounds for this issue.
- Patches
- -------
- To aid users who aren't able to upgrade immediately we have provided
- patches for the two supported release series. They are in git-am format
- and consist of a single changeset.
- * 2-3-nested_attributes.patch - Patch for 2.3 series
- * 3-0-nested_attributes.patch - Patch for 3.0 series
- Please note that only the 2.3.x and 3.0.x series are supported at
- present. Users of earlier unsupported releases are advised to upgrade
- as soon as possible.
- Credits
- -------
- Thanks to Matti Paksula and Juha Suuraho of Enemy & Sons Ltd for
- reporting the vulnerability to us and helping verify the fix.
Don't like ads? PRO users don't see any ads ;-)
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
create a new version of this paste
RAW Paste Data