Bug 1301973 (CVE-2016-0753)
Summary: | CVE-2016-0753 rubygem-activemodel, rubygem-activerecord: possible input validation circumvention in Active Model | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abaron, aortega, apatters, apevec, ayoung, bgollahe, bkearney, cbillett, ccoleman, chrisw, cpelland, dajohnso, dallan, dclarizi, dmcphers, gblomqui, gkotton, gmccullo, gtanzill, jfrey, jhardy, jialiu, joelsmith, jokerman, jorton, jprause, jrusnack, jschluet, kanderso, katello-bugs, kseifried, lhh, lmeyer, lpeer, markmc, mastahnke, mburns, mmaslano, mmccomas, mmorsi, mtasaka, obarenbo, osoukup, pvalena, rbryant, rhos-maint, roliveri, sclewis, slong, sseago, strzibny, tdecacqu, tomckay, vanmeeuwen+fedora, vondruch, xlecauch, yeylon |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | rubygem-activemodel 5.0.0.beta1.1, rubygem-activemodel 4.2.5.1, rubygem-activemodel 4.1.14.1, rubygem-activerecord 5.0.0.beta1.1, rubygem-activerecord 4.2.5.1, rubygem-activerecord 4.1.14.1 | Doc Type: | Bug Fix |
Doc Text: |
A flaw was found in the way the Active Model based models processed attributes. An attacker with the ability to pass arbitrary attributes to models could possibly use this flaw to bypass input validation.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-02-24 10:58:32 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1301975, 1301976, 1301977, 1301978, 1301979, 1306286, 1306287, 1306290, 1306291 | ||
Bug Blocks: | 1302006 |
Description
Adam Mariš
2016-01-26 13:15:15 UTC
Created rubygem-activerecord tracking bugs for this issue: Affects: fedora-all [bug 1301979] Created rubygem-activemodel tracking bugs for this issue: Affects: fedora-all [bug 1301977] Upstream commit: 4.1 https://github.com/rails/rails/commit/50d3d7d01123fa9e08fcce5985fd6e8c24ba57ab 4.2 https://github.com/rails/rails/commit/e3ceb28e66ca6e869f8f9778dc42672f48001a90 Analysis: Several class attributes, including validation related, of Active Model models were writable from instances. Attacker with ability to pass arbitrary attributes to Active Model instances could use this to bypass validation. Impacted code: ```ruby SomeModel.new(unverified_user_input) ``` Mitigation: Do not allow arbitrary attributes to be passed to models. In Rails with Strong Parameters, make sure to not call permit! method, which bypasses strong parameters protections. Outside of rails, use whitelisting to filter only allowed attributes before passing them to models. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2016:0296 https://rhn.redhat.com/errata/RHSA-2016-0296.html rubygem-activerecord-4.2.0-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. rubygem-actionpack-4.2.0-3.fc22, rubygem-activemodel-4.2.0-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. rubygem-activesupport-4.2.0-4.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. rubygem-activerecord-4.2.3-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. rubygem-activemodel-4.2.3-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. |