Miggo Logo

CVE-2010-3933: Rails activerecord gem has Improper Input Validation vulnerability

6.4

CVSS Score

Basic Information

EPSS Score
0.71371%
Published
10/24/2017
Updated
5/26/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:N/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
activerecordrubygems>= 2.3.9, < 2.3.102.3.10
activerecordrubygems>= 3.0.0, < 3.0.13.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper validation of nested attribute IDs in association handling. The patch replaced ID-based record lookup logic with security checks (raising RecordNotFound) when unassociated IDs are provided. The removed code in these two functions allowed attackers to reference arbitrary records via crafted 'id' parameters, bypassing ownership validation. The commit diff and CVE description directly implicate these association assignment methods as the vulnerable entry points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Ru*y on R*ils *.*.* *n* *.*.* *o*s not prop*rly **n*l* n*st** *ttri*ut*s, w*i** *llows r*mot* *tt**k*rs to mo*i*y *r*itr*ry r**or*s *y ***n*in* t** n*m*s o* p*r*m*t*rs *or *orm inputs.

Reasoning

T** vuln*r**ility st*mm** *rom improp*r `v*li**tion` o* n*st** *ttri*ut* I*s in *sso*i*tion **n*lin*. T** p*t** r*pl**** I*-**s** r**or* lookup lo*i* wit* s**urity ****ks (r*isin* `R**or*Not*oun*`) w**n un*sso*i*t** I*s *r* provi***. T** r*mov** *o**