Remote Code Execution in Active Record of Ruby on Rails by Vendor
CVE-2015-7577

5.3MEDIUM

Key Information:

Vendor

Rubyonrails

Status
Ruby On Rails
Rails
Vendor
CVE Published:
16 February 2016

What is CVE-2015-7577?

The vulnerability in Active Record of Ruby on Rails arises from the flawed implementation of the 'destroy' option while utilizing nested attributes. This oversight allows remote attackers to exploit the feature, enabling them to bypass the intended change restrictions. This leads to potential unauthorized modifications within a Rails application, posing significant risks to data integrity and application security.

References

http://lists.opensuse.org/opensuse-updates/2016-02/msg000...
vendor-advisoryx_refsource_SUSE
http://lists.opensuse.org/opensuse-updates/2016-02/msg000...
vendor-advisoryx_refsource_SUSE
http://lists.fedoraproject.org/pipermail/package-announce...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.