Aaron Patterson (tenderlove) reports: Circumvention of attr_protected There is a vulnerability in the attr_protected method in ActiveRecord. This vulnerability has been assigned the CVE identifier CVE-2013-0276. Versions Affected: All. Not affected: Applications using attr_accessible Fixed Versions: 3.2.12, 3.1.11 Impact ------ The attr_protected method allows developers to specify a blacklist of model attributes which users should not be allowed to assign to. By using a specially crafted request, attackers could circumvent this protection and alter values that were meant to be protected. All users running an affected release should either upgrade or use one of the work arounds immediately. Users should also consider switching from attr_protected to the whitelist method attr_accessible which is not vulnerable to this attack. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- The only feasible work around for this issue is to convert the application to use attr_accessible instead of attr_protected. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 3-2-attr_protected.patch - Patch for 3.2 series * 3-1-attr_protected.patch - Patch for 3.1 series * 3-0-attr_protected.patch - Patch for 3.0 series * 2-3-attr_protected.patch - Patch for 2.3 series Please note that only the 3.1.x and 3.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks to joernchen of Phenoelit and Ryan Koppenhaver of Matasano Security for reporting the vulnerability to us and working closely with us on a fix.
Created attachment 696260 [details] 2-3-attr_protected-cve-2013-0276.patch
Created attachment 696261 [details] 3-0-attr_protected-cve-2013-0276.patch
Created attachment 696262 [details] 3-1-attr_protected-cve-2013-0276.patch
Created attachment 696263 [details] 3-2-attr_protected-cve-2013-0276.patch
Public via: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/AFBKNY7VSH8 http://thread.gmane.org/gmane.comp.security.oss.general/9350
Could you please create tracking bug for Fedora? Thank you.
This code is in active_record in 2.3 and in activemodel in version 3.0/3.1/3.2, updated title and whiteboard to reflect this.
rubygem-activemodel-3.2.8-2.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-activemodel-3.0.11-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: RHEL 6 Version of OpenShift Enterprise Via RHSA-2013:0582 https://rhn.redhat.com/errata/RHSA-2013-0582.html
This issue has been addressed in following products: Red Hat Subscription Asset Manager 1.2 Via RHSA-2013:0686 https://rhn.redhat.com/errata/RHSA-2013-0686.html
Created rubygem-activemodel tracking bugs for this issue Affects: fedora-all [bug 948705]
Created rubygem-activerecord tracking bugs for this issue Affects: epel-5 [bug 948706]
The Red Hat Security Response Team has rated this issue as having moderate security impact in CloudForms 1.1. This issue is not currently planned to be addressed in future updates.