Bug 909528 (CVE-2013-0276) - CVE-2013-0276 rubygem-activerecord/rubygem-activemodel: circumvention of attr_protected
Summary: CVE-2013-0276 rubygem-activerecord/rubygem-activemodel: circumvention of attr...
Alias: CVE-2013-0276
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 909530 909531 909532 909533 948705 948706 995668
Blocks: 909529 917836
TreeView+ depends on / blocked
Reported: 2013-02-09 08:37 UTC by Kurt Seifried
Modified: 2019-09-29 13:00 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-03-15 04:25:29 UTC

Attachments (Terms of Use)
2-3-attr_protected-cve-2013-0276.patch (2.67 KB, patch)
2013-02-11 19:55 UTC, Kurt Seifried
no flags Details | Diff
3-0-attr_protected-cve-2013-0276.patch (1.80 KB, patch)
2013-02-11 19:55 UTC, Kurt Seifried
no flags Details | Diff
3-1-attr_protected-cve-2013-0276.patch (1.76 KB, patch)
2013-02-11 19:56 UTC, Kurt Seifried
no flags Details | Diff
3-2-attr_protected-cve-2013-0276.patch (1.71 KB, patch)
2013-02-11 19:56 UTC, Kurt Seifried
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0686 0 normal SHIPPED_LIVE Moderate: Subscription Asset Manager 1.2.1 update 2013-03-26 23:16:44 UTC

Description Kurt Seifried 2013-02-09 08:37:19 UTC
Aaron Patterson (tenderlove) reports:

Circumvention of attr_protected

There is a vulnerability in the attr_protected method in ActiveRecord. This 
vulnerability has been assigned the CVE identifier CVE-2013-0276.

Versions Affected:  All.
Not affected:       Applications using attr_accessible
Fixed Versions:     3.2.12, 3.1.11

The attr_protected method allows developers to specify a blacklist of model 
attributes which users should not be allowed to assign to.  By using a 
specially crafted request, attackers could circumvent this protection and 
alter values that were meant to be protected.

All users running an affected release should either upgrade or use one of the 
work arounds immediately.  Users should also consider switching from 
attr_protected to the whitelist method attr_accessible which is not vulnerable 
to this attack.

The FIXED releases are available at the normal locations. 

The only feasible work around for this issue is to convert the application to 
use attr_accessible instead of attr_protected.

To aid users who aren't able to upgrade immediately we have provided patches 
for the two supported release series.  They are in git-am format and consist 
of a single changeset. 

* 3-2-attr_protected.patch - Patch for 3.2 series 
* 3-1-attr_protected.patch - Patch for 3.1 series 
* 3-0-attr_protected.patch - Patch for 3.0 series
* 2-3-attr_protected.patch - Patch for 2.3 series

Please note that only the 3.1.x and 3.2.x series are supported at present.  
Users of earlier unsupported releases are advised to upgrade as soon as 
possible as we cannot guarantee the continued availability of security fixes 
for unsupported releases.

Thanks to joernchen of Phenoelit and Ryan Koppenhaver of Matasano Security for 
reporting the vulnerability to us and working closely with us on a fix.

Comment 6 Kurt Seifried 2013-02-11 19:55:43 UTC
Created attachment 696260 [details]

Comment 7 Kurt Seifried 2013-02-11 19:55:59 UTC
Created attachment 696261 [details]

Comment 8 Kurt Seifried 2013-02-11 19:56:15 UTC
Created attachment 696262 [details]

Comment 9 Kurt Seifried 2013-02-11 19:56:30 UTC
Created attachment 696263 [details]

Comment 11 Vít Ondruch 2013-02-12 11:28:56 UTC
Could you please create tracking bug for Fedora? Thank you.

Comment 13 Kurt Seifried 2013-02-13 10:21:01 UTC
This code is in active_record in 2.3 and in activemodel in version 3.0/3.1/3.2, updated title and whiteboard to reflect this.

Comment 15 Fedora Update System 2013-02-21 05:37:52 UTC
rubygem-activemodel-3.2.8-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2013-02-21 05:38:05 UTC
rubygem-activemodel-3.0.11-3.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Vincent Danen 2013-03-06 23:42:04 UTC
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise

Via RHSA-2013:0582 https://rhn.redhat.com/errata/RHSA-2013-0582.html

Comment 18 errata-xmlrpc 2013-03-26 19:18:30 UTC
This issue has been addressed in following products:

  Red Hat Subscription Asset Manager 1.2

Via RHSA-2013:0686 https://rhn.redhat.com/errata/RHSA-2013-0686.html

Comment 19 Kurt Seifried 2013-04-05 07:25:35 UTC
Created rubygem-activemodel tracking bugs for this issue

Affects: fedora-all [bug 948705]

Comment 20 Kurt Seifried 2013-04-05 07:26:27 UTC
Created rubygem-activerecord tracking bugs for this issue

Affects: epel-5 [bug 948706]

Comment 21 Kurt Seifried 2013-07-26 06:21:04 UTC
The Red Hat Security Response Team has rated this issue as having moderate security impact in CloudForms 1.1. This issue is not currently planned to be addressed in future updates.

Note You need to log in before you can comment on or make changes to this bug.