{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-01-25T00:00:00", "descriptions": [{"lang": "en", "value": "activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-09T09:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "openSUSE-SU-2016:0372", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"}, {"name": "openSUSE-SU-2016:0363", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"}, {"name": "FEDORA-2016-73fe05d878", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"}, {"name": "FEDORA-2016-cc465a34df", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"}, {"name": "SUSE-SU-2016:1146", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"}, {"name": "[ruby-security-ann] 20160125 [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ"}, {"name": "1034816", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1034816"}, {"name": "81806", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/81806"}, {"name": "DSA-3464", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2016/dsa-3464"}, {"name": "RHSA-2016:0296", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"}, {"name": "[oss-security] 20160125 [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/01/25/10"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2015-7577", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "openSUSE-SU-2016:0372", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"}, {"name": "openSUSE-SU-2016:0363", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"}, {"name": "FEDORA-2016-73fe05d878", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"}, {"name": "FEDORA-2016-cc465a34df", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"}, {"name": "SUSE-SU-2016:1146", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"}, {"name": "[ruby-security-ann] 20160125 [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.", "refsource": "MLIST", "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ"}, {"name": "1034816", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1034816"}, {"name": "81806", "refsource": "BID", "url": "http://www.securityfocus.com/bid/81806"}, {"name": "DSA-3464", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3464"}, {"name": "RHSA-2016:0296", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"}, {"name": "[oss-security] 20160125 [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/01/25/10"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T07:51:28.528Z"}, "title": "CVE Program Container", "references": [{"name": "openSUSE-SU-2016:0372", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"}, {"name": "openSUSE-SU-2016:0363", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"}, {"name": "FEDORA-2016-73fe05d878", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"}, {"name": "FEDORA-2016-cc465a34df", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"}, {"name": "SUSE-SU-2016:1146", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"}, {"name": "[ruby-security-ann] 20160125 [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ"}, {"name": "1034816", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1034816"}, {"name": "81806", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/81806"}, {"name": "DSA-3464", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2016/dsa-3464"}, {"name": "RHSA-2016:0296", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"}, {"name": "[oss-security] 20160125 [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2016/01/25/10"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-7577", "datePublished": "2016-02-16T02:00:00", "dateReserved": "2015-09-29T00:00:00", "dateUpdated": "2024-08-06T07:51:28.528Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*", "matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*", "matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*", "matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*", "matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "C583ACDE-55D5-4D2F-838F-BEC5BDCDE3B7", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*", "matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*", "matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*", "matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "DC9E1864-B1E5-42C3-B4AF-9A002916B66D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*", "matchCriteriaId": "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*", "matchCriteriaId": "A462C151-982E-4A83-A376-025015F40645", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*", "matchCriteriaId": "660C2AD2-CEC8-4391-84AF-27515A88B29E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*", "matchCriteriaId": "578CC013-776B-4868-B448-B7ACAF3AF832", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "FB42A8E7-D273-4CE2-9182-D831D8089BFA", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "DB757DFD-BF47-4483-A2C0-DF37F7D10989", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "B6C375F2-5027-4B55-9112-C5DD2F787E43", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*", "matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*", "matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*", "matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*", "matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*", "matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*", "matchCriteriaId": "9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*", "matchCriteriaId": "509597D0-22E1-4BE8-95AD-C54FE4D15FA4", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*", "matchCriteriaId": "B86E26CB-2376-4EBC-913C-B354E2D6711B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*", "matchCriteriaId": "539C550D-FEDD-415E-95AE-40E1AE2BAF1A", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "D5150753-E86D-4859-A046-97B83EAE2C14", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*", "matchCriteriaId": "59C5B869-74FC-4051-A103-A721332B3CF2", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:*:*:*:*:*:*:*", "matchCriteriaId": "7C31EBD2-CD2D-4D38-AA51-A5A56487939A", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*", "matchCriteriaId": "F11E9791-7BCE-43E5-A4BA-6449623FE4F9", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:*:*:*:*:*:*:*", "matchCriteriaId": "33FBD4E4-0BCD-49E1-BA84-86621B7C4556", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*", "matchCriteriaId": "CE521626-2876-455C-9D99-DB74726DC724", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*", "matchCriteriaId": "2DFDD32E-F49E-47F7-B033-B6C3C0E07FC4", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*", "matchCriteriaId": "DCBA26F1-FBBA-444D-9C14-F15AB14A4FC5", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*", "matchCriteriaId": "16D3B0EA-49F7-401A-A1D9-437429D33EAD", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:*:*:*:*:*:*:*", "matchCriteriaId": "83D1EB17-EE67-48E5-B637-AA9A75D397F6", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*", "matchCriteriaId": "17EBD8B4-C4D3-44A6-9DC1-89D948F126A1", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:*:*:*:*:*:*:*", "matchCriteriaId": "A2B1711A-5541-412C-A5A0-274CEAB9E387", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*", "matchCriteriaId": "FCB08CD7-E9B9-454F-BAF7-96162D177677", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:*:*:*:*:*:*:*", "matchCriteriaId": "C3AF00C3-93D9-4284-BCB9-40E42CB8386E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*", "matchCriteriaId": "0D3DA0B4-E374-4ED4-8C3B-F723C968666F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*", "matchCriteriaId": "B1730A9A-6810-4470-AE6C-A5356D5BFF43", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "9A68D41F-36A9-4B77-814D-996F4E48FA79", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "85435026-9855-4BF4-A436-832628B005FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "56C2308F-A590-47B0-9791-7865D189196F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "9A266882-DABA-4A4C-88E6-60E993EE0947", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "1FA738A1-227B-4665-B65E-666883FFAE96", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*", "matchCriteriaId": "10789A2D-6401-4119-BFBE-2EE4C16216D3", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*", "matchCriteriaId": "70ABD462-7142-4831-8EB6-801EC1D05573", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "81D717DB-7C80-48AA-A774-E291D2E75D6E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "06B357FB-0307-4EFA-9C5B-3C2CDEA48584", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*", "matchCriteriaId": "E4BD8840-0F1C-49D3-B843-9CFE64948018", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "79D5B492-43F9-470F-BD21-6EFD93E78453", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "4EC1F602-D48C-458A-A063-4050BE3BB25F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "F6A1C015-56AD-489C-B301-68CF1DBF1BEF", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*", "matchCriteriaId": "FD191625-ACE2-46B6-9AAD-12D682C732C2", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*", "matchCriteriaId": "02C7DB56-267B-4057-A9BA-36D1E58C6282", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "AF8F94CF-D504-4165-A69E-3F1198CB162A", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", "matchCriteriaId": "4C068362-0D49-4117-BC96-780AA802CE4E", "versionEndIncluding": "3.2.22", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10:rc2:*:*:*:*:*:*", "matchCriteriaId": "9C8E749B-2908-442A-99F0-91E2772336ED", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11:*:*:*:*:*:*:*", "matchCriteriaId": "9E43D2D7-89AE-4805-9732-F1C601D8D8B8", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11.1:*:*:*:*:*:*:*", "matchCriteriaId": "5F3D8911-060D-435D-ACA2-E29271170CAA", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.12:*:*:*:*:*:*:*", "matchCriteriaId": "EA7A4939-16CF-450D-846A-75B231E32D61", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:*:*:*:*:*:*:*", "matchCriteriaId": "C964D4A2-3F39-4CC7-A028-B42C94DDB56F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:rc1:*:*:*:*:*:*", "matchCriteriaId": "3B54D9FE-0A38-4053-9F3C-8831E2DD2BF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.11:*:*:*:*:*:*:*", "matchCriteriaId": "23FD6D82-9A14-4BD4-AA00-1875F0962ACE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature."}, {"lang": "es", "value": "activerecord/lib/active_record/nested_attributes.rb en Active Record en Ruby on Rails 3.1.x y 3.2.x en versiones anteriores a 3.2.22.1, 4.0.x y 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 no implementa adecuadamente una cierta opci\u00f3n de destruir, lo que permite a atacantes remotos eludir restricciones destinadas al cambio mediante el aprovechamiento del uso de la funcionalidad de atributos anidados."}], "id": "CVE-2015-7577", "lastModified": "2024-11-21T02:37:00.983", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-02-16T02:59:01.063", "references": [{"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"}, {"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2016/dsa-3464"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2016/01/25/10"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/81806"}, {"source": "secalert@redhat.com", "url": "http://www.securitytracker.com/id/1034816"}, {"source": "secalert@redhat.com", "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2016/dsa-3464"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2016/01/25/10"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/81806"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1034816"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Ruby on Rails project for reporting this issue. Upstream acknowledges Justin Coyne as the original reporter.", "affected_release": [{"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-actionpack-1:4.1.5-3.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-actionview-0:4.1.5-4.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-activemodel-0:4.1.5-2.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-activerecord-1:4.1.5-2.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-activesupport-1:4.1.5-3.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-actionpack-1:4.0.2-7.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-activerecord-1:4.0.2-6.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-activesupport-1:4.0.2-4.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-actionpack-1:3.2.8-16.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-activerecord-1:3.2.8-11.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-activesupport-1:3.2.8-6.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-actionpack-1:4.1.5-3.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-actionview-0:4.1.5-4.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-activemodel-0:4.1.5-2.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-activerecord-1:4.1.5-2.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-activesupport-1:4.1.5-3.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-actionpack-1:4.0.2-7.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-activerecord-1:4.0.2-6.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-activesupport-1:4.0.2-4.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-actionpack-1:3.2.8-16.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-activerecord-1:3.2.8-11.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-activesupport-1:3.2.8-6.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-actionpack-1:4.1.5-3.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-actionview-0:4.1.5-4.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-activemodel-0:4.1.5-2.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-activerecord-1:4.1.5-2.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-activesupport-1:4.1.5-3.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-actionpack-1:4.0.2-7.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-activerecord-1:4.0.2-6.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-activesupport-1:4.0.2-4.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-actionpack-1:3.2.8-16.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-activerecord-1:3.2.8-11.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-activesupport-1:3.2.8-6.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-actionpack-1:4.1.5-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-actionview-0:4.1.5-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-activemodel-0:4.1.5-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-activerecord-1:4.1.5-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-activesupport-1:4.1.5-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-actionpack-1:4.0.2-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-activerecord-1:4.0.2-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-activesupport-1:4.0.2-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-actionpack-1:3.2.8-16.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-activerecord-1:3.2.8-11.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-activesupport-1:3.2.8-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-actionpack-1:4.1.5-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-actionview-0:4.1.5-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-activemodel-0:4.1.5-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-activerecord-1:4.1.5-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-activesupport-1:4.1.5-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-actionpack-1:4.0.2-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-activerecord-1:4.0.2-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-activesupport-1:4.0.2-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-actionpack-1:3.2.8-16.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-activerecord-1:3.2.8-11.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-activesupport-1:3.2.8-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-actionpack-1:4.1.5-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-actionview-0:4.1.5-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-activemodel-0:4.1.5-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-activerecord-1:4.1.5-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-activesupport-1:4.1.5-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-actionpack-1:4.0.2-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-activerecord-1:4.0.2-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-activesupport-1:4.0.2-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-actionpack-1:3.2.8-16.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-activerecord-1:3.2.8-11.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-activesupport-1:3.2.8-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-03-15T00:00:00Z"}], "bugzilla": {"description": "rubygem-activerecord: Nested attributes rejection proc bypass in Active Record", "id": "1301957", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1301957"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "status": "verified"}, "details": ["activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.", "A flaw was found in the Active Record component's handling of nested attributes in combination with the destroy flag. An attacker could possibly use this flaw to set attributes to invalid values or clear all attributes."], "name": "CVE-2015-7577", "package_state": [{"cpe": "cpe:/a:cloudforms_managementengine:5.2", "fix_state": "Affected", "package_name": "ruby193-rubygem-activerecord", "product_name": "CloudForms Management Engine 5.2"}, {"cpe": "cpe:/a:cloudforms_managementengine:5.3", "fix_state": "Affected", "package_name": "ruby193-rubygem-activerecord", "product_name": "CloudForms Management Engine 5.3"}, {"cpe": "cpe:/a:redhat:openstack-installer:5", "fix_state": "Will not fix", "package_name": "ruby193-rubygem-activerecord", "product_name": "OpenStack Foreman"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Will not fix", "package_name": "ruby193-rubygem-activerecord", "product_name": "Red Hat Subscription Asset Manager"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Not affected", "package_name": "rubygem-activerecord", "product_name": "Red Hat Subscription Asset Manager"}], "public_date": "2016-01-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-7577\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-7577\nhttp://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/\nhttps://groups.google.com/forum/#!msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ"], "threat_severity": "Moderate", "upstream_fix": "rubygem-activerecord 5.0.0.beta1.1, rubygem-activerecord 4.2.5.1, rubygem-activerecord 4.1.14.1, rubygem-activerecord 3.2.22.1"}