CVE-2013-0276

ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request.

Affected Software

Name	Vendor	Start Version	End Version
Rails	Rubyonrails	3.2.0 (including)	3.2.0 (including)
Rails	Rubyonrails	3.2.0-rc1 (including)	3.2.0-rc1 (including)
Rails	Rubyonrails	3.2.0-rc2 (including)	3.2.0-rc2 (including)
Rails	Rubyonrails	3.2.1 (including)	3.2.1 (including)
Rails	Rubyonrails	3.2.2 (including)	3.2.2 (including)
Rails	Rubyonrails	3.2.2-rc1 (including)	3.2.2-rc1 (including)
Rails	Rubyonrails	3.2.3 (including)	3.2.3 (including)
Rails	Rubyonrails	3.2.3-rc1 (including)	3.2.3-rc1 (including)
Rails	Rubyonrails	3.2.3-rc2 (including)	3.2.3-rc2 (including)
Rails	Rubyonrails	3.2.4 (including)	3.2.4 (including)
Rails	Rubyonrails	3.2.4-rc1 (including)	3.2.4-rc1 (including)
Rails	Rubyonrails	3.2.5 (including)	3.2.5 (including)
Rails	Rubyonrails	3.2.6 (including)	3.2.6 (including)
Rails	Rubyonrails	3.2.7 (including)	3.2.7 (including)
Rails	Rubyonrails	3.2.8 (including)	3.2.8 (including)
Rails	Rubyonrails	3.2.9 (including)	3.2.9 (including)
Rails	Rubyonrails	3.2.10 (including)	3.2.10 (including)
Rails	Rubyonrails	3.2.11 (including)	3.2.11 (including)
Rails	Ubuntu	hardy	*
Rails	Ubuntu	lucid	*
Rails	Ubuntu	upstream	*
Ruby-activerecord-2.3	Ubuntu	oneiric	*
Ruby-activerecord-2.3	Ubuntu	precise	*
Ruby-activerecord-2.3	Ubuntu	quantal	*
Ruby-activerecord-2.3	Ubuntu	raring	*
Ruby-activerecord-2.3	Ubuntu	saucy	*
Ruby-activerecord-2.3	Ubuntu	upstream	*
Ruby-activerecord-3.2	Ubuntu	quantal	*
Ruby-activerecord-3.2	Ubuntu	raring	*
Ruby-activerecord-3.2	Ubuntu	upstream	*
Red Hat Subscription Asset Manager 1.2	RedHat	candlepin-0:0.7.24-1.el6_3	*
Red Hat Subscription Asset Manager 1.2	RedHat	katello-0:1.2.1.1-1h.el6_4	*
Red Hat Subscription Asset Manager 1.2	RedHat	katello-configure-0:1.2.3.1-4h.el6_4	*
Red Hat Subscription Asset Manager 1.2	RedHat	rubygem-actionpack-1:3.0.10-12.el6cf	*
Red Hat Subscription Asset Manager 1.2	RedHat	rubygem-activemodel-0:3.0.10-3.el6cf	*
Red Hat Subscription Asset Manager 1.2	RedHat	rubygem-delayed_job-0:2.1.4-3.el6cf	*
Red Hat Subscription Asset Manager 1.2	RedHat	rubygem-json-0:1.7.3-2.el6_3	*
Red Hat Subscription Asset Manager 1.2	RedHat	rubygem-nokogiri-0:1.5.0-0.9.beta4.el6cf	*
Red Hat Subscription Asset Manager 1.2	RedHat	rubygem-rack-1:1.3.0-4.el6cf	*
Red Hat Subscription Asset Manager 1.2	RedHat	rubygem-rails_warden-0:0.5.5-2.el6cf	*
Red Hat Subscription Asset Manager 1.2	RedHat	rubygem-rdoc-0:3.8-6.el6cf	*
Red Hat Subscription Asset Manager 1.2	RedHat	thumbslug-0:0.0.28.1-1.el6_4	*
RHEL 6 Version of OpenShift Enterprise	RedHat	graphviz-0:2.26.0-10.el6	*
RHEL 6 Version of OpenShift Enterprise	RedHat	openshift-console-0:0.0.16-1.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	openshift-origin-broker-0:1.0.11-1.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	openshift-origin-broker-util-0:1.0.15-1.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	openshift-origin-cartridge-cron-1.4-0:1.0.3-1.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	openshift-origin-cartridge-diy-0.1-0:1.0.3-1.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	openshift-origin-cartridge-haproxy-1.4-0:1.0.4-1.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	openshift-origin-cartridge-jbosseap-6.0-0:1.0.4-1.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	openshift-origin-cartridge-jbossews-1.0-0:1.0.13-1.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	openshift-origin-cartridge-jenkins-1.4-0:1.0.2-1.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	openshift-origin-cartridge-jenkins-client-1.4-0:1.0.2-1.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	openshift-origin-cartridge-mysql-5.1-0:1.0.5-1.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	openshift-origin-cartridge-perl-5.10-0:1.0.3-1.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	openshift-origin-cartridge-php-5.3-0:1.0.5-1.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	openshift-origin-cartridge-postgresql-8.4-0:1.0.3-2.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	openshift-origin-cartridge-ruby-1.8-0:1.0.7-1.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	openshift-origin-cartridge-ruby-1.9-scl-0:1.0.8-1.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	openshift-origin-msg-node-mcollective-0:1.0.3-1.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	php-0:5.3.3-22.el6	*
RHEL 6 Version of OpenShift Enterprise	RedHat	ruby193-ruby-0:1.9.3.327-25.el6	*
RHEL 6 Version of OpenShift Enterprise	RedHat	ruby193-rubygem-actionpack-1:3.2.8-3.el6	*
RHEL 6 Version of OpenShift Enterprise	RedHat	ruby193-rubygem-activemodel-0:3.2.8-2.el6	*
RHEL 6 Version of OpenShift Enterprise	RedHat	ruby193-rubygem-activerecord-1:3.2.8-3.el6	*
RHEL 6 Version of OpenShift Enterprise	RedHat	ruby193-rubygem-railties-0:3.2.8-2.el6	*
RHEL 6 Version of OpenShift Enterprise	RedHat	ruby193-rubygem-ruby_parser-0:2.3.1-3.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	rubygem-actionpack-1:3.0.13-4.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	rubygem-activemodel-0:3.0.13-3.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	rubygem-activerecord-1:3.0.13-5.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	rubygem-bson-0:1.8.1-2.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	rubygem-mongo-0:1.8.1-2.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	rubygem-openshift-origin-auth-remote-user-0:1.0.5-1.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	rubygem-openshift-origin-console-0:1.0.10-1.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	rubygem-openshift-origin-controller-0:1.0.12-1.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	rubygem-openshift-origin-node-0:1.0.11-1.el6op	*
RHEL 6 Version of OpenShift Enterprise	RedHat	rubygem-ruby_parser-0:2.0.4-6.el6op	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2013-0276
CWE	https://cwe.mitre.org/data/definitions/264.html

Affected Software

References