CVE-2010-3933: Rails activerecord gem has Improper Input Validation vulnerability
6.4
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.71371%
CWE
Published
10/24/2017
Updated
5/26/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
AV:N/AC:L/Au:N/C:N/I:P/A:P
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
activerecord | rubygems | >= 2.3.9, < 2.3.10 | 2.3.10 |
activerecord | rubygems | >= 3.0.0, < 3.0.1 | 3.0.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from improper validation
of nested attribute IDs in association handling. The patch replaced ID-based record lookup logic with security checks (raising RecordNotFound
) when unassociated IDs are provided. The removed code in these two functions
allowed attackers to reference arbitrary records via crafted 'id' parameters, bypassing ownership validation
. The commit diff and CVE description directly implicate these association assignment methods
as the vulnerable entry points.