Lucene search

[email protected]CVE-2016-0753

HistoryFeb 16, 2016 - 2:59 a.m.

CVE-2016-0753

2016-02-1602:59:00

NVD-CWE-noinfo

[email protected]

web.nvd.nist.gov

cve-2016-0753

active model

ruby on rails

remote attack

validation bypass

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

5.4 Medium

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.004 Low

EPSS

Percentile

74.4%

JSON

Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.

CPENameOperatorVersion
rubyonrails:railsrubyonrails railseq5.0.0
rubyonrails:railsrubyonrails railslt4.1.14.1
rubyonrails:railsrubyonrails railslt4.2.5.1
debian:debian_linuxdebian debian linuxeq8.0
fedoraproject:fedorafedoraproject fedoraeq22
fedoraproject:fedorafedoraproject fedoraeq23
opensuse:leapopensuse leapeq42.1

CPE	Name	Operator	Version
rubyonrails:rails	rubyonrails rails	eq	5.0.0
rubyonrails:rails	rubyonrails rails	lt	4.1.14.1
rubyonrails:rails	rubyonrails rails	lt	4.2.5.1
debian:debian_linux	debian debian linux	eq	8.0
fedoraproject:fedora	fedoraproject fedora	eq	22
fedoraproject:fedora	fedoraproject fedora	eq	23
opensuse:leap	opensuse leap	eq	42.1