Bug 1301973 (CVE-2016-0753) - CVE-2016-0753 rubygem-activemodel, rubygem-activerecord: possible input validation circumvention in Active Model
Summary: CVE-2016-0753 rubygem-activemodel, rubygem-activerecord: possible input valid...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-0753
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1301975 1301976 1301977 1301978 1301979 1306286 1306287 1306290 1306291
Blocks: 1302006
TreeView+ depends on / blocked
 
Reported: 2016-01-26 13:15 UTC by Adam Mariš
Modified: 2019-09-29 13:43 UTC (History)
56 users (show)

Fixed In Version: rubygem-activemodel 5.0.0.beta1.1, rubygem-activemodel 4.2.5.1, rubygem-activemodel 4.1.14.1, rubygem-activerecord 5.0.0.beta1.1, rubygem-activerecord 4.2.5.1, rubygem-activerecord 4.1.14.1
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way the Active Model based models processed attributes. An attacker with the ability to pass arbitrary attributes to models could possibly use this flaw to bypass input validation.
Clone Of:
Environment:
Last Closed: 2016-02-24 10:58:32 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0296 normal SHIPPED_LIVE Important: rh-ror41 security update 2016-02-24 15:36:00 UTC

Description Adam Mariš 2016-01-26 13:15:15 UTC
A possible input validation circumvention vulnerability in Active Model was reported. Code that uses Active Model based models (including Active Record models) and does not validate user input before passing it to the model can be subject to an attack where specially crafted input will cause the model to skip validations.

External References:

https://groups.google.com/forum/#!msg/rubyonrails-security/6jQVC1geukQ/8oYETcxbFQAJ
http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/

Comment 4 Adam Mariš 2016-01-26 13:17:53 UTC
Created rubygem-activerecord tracking bugs for this issue:

Affects: fedora-all [bug 1301979]

Comment 5 Adam Mariš 2016-01-26 13:18:12 UTC
Created rubygem-activemodel tracking bugs for this issue:

Affects: fedora-all [bug 1301977]

Comment 6 Adam Mariš 2016-01-26 15:24:24 UTC
Acknowledgments:

Red Hat would like to thank Ruby on Rails project for reporting this issue.
Upstream acknowledges John Backus from BlockScore as the original reporter.

Comment 8 Ján Rusnačko 2016-02-10 12:23:03 UTC
Analysis:

Several class attributes, including validation related, of Active Model models were writable from instances. Attacker with ability to pass arbitrary attributes to Active Model instances could use this to bypass validation. Impacted code:

```ruby
SomeModel.new(unverified_user_input)
```

Mitigation:

Do not allow arbitrary attributes to be passed to models. In Rails with Strong Parameters, make sure to not call permit! method, which bypasses strong parameters protections. Outside of rails, use whitelisting to filter only allowed attributes before passing them to models.

Comment 11 errata-xmlrpc 2016-02-24 10:37:39 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2016:0296 https://rhn.redhat.com/errata/RHSA-2016-0296.html

Comment 12 Fedora Update System 2016-02-28 08:23:53 UTC
rubygem-activerecord-4.2.0-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2016-02-28 08:25:19 UTC
rubygem-actionpack-4.2.0-3.fc22, rubygem-activemodel-4.2.0-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2016-02-28 08:28:29 UTC
rubygem-activesupport-4.2.0-4.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2016-02-28 12:24:05 UTC
rubygem-activerecord-4.2.3-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2016-02-28 12:25:17 UTC
rubygem-activemodel-4.2.3-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.