CVE-2016-0753: activemodel contains Improper Input Validation
5.3
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.84133%
CWE
Published
10/24/2017
Updated
11/12/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
activemodel | rubygems | >= 4.1.0, <= 4.1.14.0 | 4.1.14.1 |
activemodel | rubygems | >= 4.2.0, <= 4.2.5.0 | 4.2.5.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from Rails' class_attribute macro defaulting to enabling instance-level writers. This allowed attackers to override class-level configurations (like validators, serialization settings, enum mappings, and callbacks) via crafted instance parameters. The patches explicitly set instance_writer: false on these class attributes, confirming these were the vulnerable points. The files/modules modified in the provided patches (JSON serializers, validations, enums, reflection, and callbacks) all contained class_attribute declarations without instance_writer restrictions in vulnerable versions.