ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Rails | Rubyonrails | 3.2.0 (including) | 3.2.0 (including) |
| Rails | Rubyonrails | 3.2.0-rc1 (including) | 3.2.0-rc1 (including) |
| Rails | Rubyonrails | 3.2.0-rc2 (including) | 3.2.0-rc2 (including) |
| Rails | Rubyonrails | 3.2.1 (including) | 3.2.1 (including) |
| Rails | Rubyonrails | 3.2.2 (including) | 3.2.2 (including) |
| Rails | Rubyonrails | 3.2.2-rc1 (including) | 3.2.2-rc1 (including) |
| Rails | Rubyonrails | 3.2.3 (including) | 3.2.3 (including) |
| Rails | Rubyonrails | 3.2.3-rc1 (including) | 3.2.3-rc1 (including) |
| Rails | Rubyonrails | 3.2.3-rc2 (including) | 3.2.3-rc2 (including) |
| Rails | Rubyonrails | 3.2.4 (including) | 3.2.4 (including) |
| Rails | Rubyonrails | 3.2.4-rc1 (including) | 3.2.4-rc1 (including) |
| Rails | Rubyonrails | 3.2.5 (including) | 3.2.5 (including) |
| Rails | Rubyonrails | 3.2.6 (including) | 3.2.6 (including) |
| Rails | Rubyonrails | 3.2.7 (including) | 3.2.7 (including) |
| Rails | Rubyonrails | 3.2.8 (including) | 3.2.8 (including) |
| Rails | Rubyonrails | 3.2.9 (including) | 3.2.9 (including) |
| Rails | Rubyonrails | 3.2.10 (including) | 3.2.10 (including) |
| Rails | Rubyonrails | 3.2.11 (including) | 3.2.11 (including) |
| Red Hat Subscription Asset Manager 1.2 | RedHat | candlepin-0:0.7.24-1.el6_3 | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | katello-0:1.2.1.1-1h.el6_4 | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | katello-configure-0:1.2.3.1-4h.el6_4 | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | rubygem-actionpack-1:3.0.10-12.el6cf | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | rubygem-activemodel-0:3.0.10-3.el6cf | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | rubygem-delayed_job-0:2.1.4-3.el6cf | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | rubygem-json-0:1.7.3-2.el6_3 | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | rubygem-nokogiri-0:1.5.0-0.9.beta4.el6cf | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | rubygem-rack-1:1.3.0-4.el6cf | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | rubygem-rails_warden-0:0.5.5-2.el6cf | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | rubygem-rdoc-0:3.8-6.el6cf | * |
| Red Hat Subscription Asset Manager 1.2 | RedHat | thumbslug-0:0.0.28.1-1.el6_4 | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | graphviz-0:2.26.0-10.el6 | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | openshift-console-0:0.0.16-1.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | openshift-origin-broker-0:1.0.11-1.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | openshift-origin-broker-util-0:1.0.15-1.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | openshift-origin-cartridge-cron-1.4-0:1.0.3-1.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | openshift-origin-cartridge-diy-0.1-0:1.0.3-1.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | openshift-origin-cartridge-haproxy-1.4-0:1.0.4-1.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | openshift-origin-cartridge-jbosseap-6.0-0:1.0.4-1.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | openshift-origin-cartridge-jbossews-1.0-0:1.0.13-1.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | openshift-origin-cartridge-jenkins-1.4-0:1.0.2-1.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | openshift-origin-cartridge-jenkins-client-1.4-0:1.0.2-1.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | openshift-origin-cartridge-mysql-5.1-0:1.0.5-1.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | openshift-origin-cartridge-perl-5.10-0:1.0.3-1.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | openshift-origin-cartridge-php-5.3-0:1.0.5-1.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | openshift-origin-cartridge-postgresql-8.4-0:1.0.3-2.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | openshift-origin-cartridge-ruby-1.8-0:1.0.7-1.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | openshift-origin-cartridge-ruby-1.9-scl-0:1.0.8-1.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | openshift-origin-msg-node-mcollective-0:1.0.3-1.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | php-0:5.3.3-22.el6 | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | ruby193-ruby-0:1.9.3.327-25.el6 | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | ruby193-rubygem-actionpack-1:3.2.8-3.el6 | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | ruby193-rubygem-activemodel-0:3.2.8-2.el6 | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | ruby193-rubygem-activerecord-1:3.2.8-3.el6 | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | ruby193-rubygem-railties-0:3.2.8-2.el6 | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | ruby193-rubygem-ruby_parser-0:2.3.1-3.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | rubygem-actionpack-1:3.0.13-4.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | rubygem-activemodel-0:3.0.13-3.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | rubygem-activerecord-1:3.0.13-5.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | rubygem-bson-0:1.8.1-2.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | rubygem-mongo-0:1.8.1-2.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | rubygem-openshift-origin-auth-remote-user-0:1.0.5-1.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | rubygem-openshift-origin-console-0:1.0.10-1.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | rubygem-openshift-origin-controller-0:1.0.12-1.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | rubygem-openshift-origin-node-0:1.0.11-1.el6op | * |
| RHEL 6 Version of OpenShift Enterprise | RedHat | rubygem-ruby_parser-0:2.0.4-6.el6op | * |
| Rails | Ubuntu | hardy | * |
| Rails | Ubuntu | lucid | * |
| Rails | Ubuntu | upstream | * |
| Ruby-activerecord-2.3 | Ubuntu | oneiric | * |
| Ruby-activerecord-2.3 | Ubuntu | precise | * |
| Ruby-activerecord-2.3 | Ubuntu | quantal | * |
| Ruby-activerecord-2.3 | Ubuntu | raring | * |
| Ruby-activerecord-2.3 | Ubuntu | saucy | * |
| Ruby-activerecord-2.3 | Ubuntu | upstream | * |
| Ruby-activerecord-3.2 | Ubuntu | quantal | * |
| Ruby-activerecord-3.2 | Ubuntu | raring | * |
| Ruby-activerecord-3.2 | Ubuntu | upstream | * |
References
- http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
- http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html
- http://rhn.redhat.com/errata/RHSA-2013-0686.html
- http://secunia.com/advisories/52112
- http://secunia.com/advisories/52774
- http://support.apple.com/kb/HT5784
- http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/
- http://www.debian.org/security/2013/dsa-2620
- http://www.openwall.com/lists/oss-security/2013/02/11/5
- http://www.osvdb.org/90072
- http://www.securityfocus.com/bid/57896
- https://groups.google.com/group/rubyonrails-security/msg/bb44b98a73ef1a06?dmode=source\u0026output=gplain
- http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
- http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html
- http://rhn.redhat.com/errata/RHSA-2013-0686.html
- http://secunia.com/advisories/52112
- http://secunia.com/advisories/52774
- http://support.apple.com/kb/HT5784
- http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/
- http://www.debian.org/security/2013/dsa-2620
- http://www.openwall.com/lists/oss-security/2013/02/11/5
- http://www.osvdb.org/90072
- http://www.securityfocus.com/bid/57896
- https://groups.google.com/group/rubyonrails-security/msg/bb44b98a73ef1a06?dmode=source\u0026output=gplain