Miggo Logo

CVE-2016-0753: activemodel contains Improper Input Validation

5.3

CVSS Score
3.0

Basic Information

EPSS Score
0.84133%
Published
10/24/2017
Updated
11/12/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
activemodelrubygems>= 4.1.0, <= 4.1.14.04.1.14.1
activemodelrubygems>= 4.2.0, <= 4.2.5.04.2.5.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from Rails' class_attribute macro defaulting to enabling instance-level writers. This allowed attackers to override class-level configurations (like validators, serialization settings, enum mappings, and callbacks) via crafted instance parameters. The patches explicitly set instance_writer: false on these class attributes, confirming these were the vulnerable points. The files/modules modified in the provided patches (JSON serializers, validations, enums, reflection, and callbacks) all contained class_attribute declarations without instance_writer restrictions in vulnerable versions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**tiv* Mo**l in Ru*y on R*ils *.*.x ***or* *.*.**.*, *.*.x ***or* *.*.*.*, *n* *.x ***or* *.*.*.**t**.* supports t** us* o* inst*n**-l*v*l writ*rs *or *l*ss ****ssors, w*i** *llows r*mot* *tt**k*rs to *yp*ss int*n*** v*li**tion st*ps vi* *r**t** p*r*

Reasoning

T** vuln*r**ility st*mm** *rom R*ils' *l*ss_*ttri*ut* m**ro ****ultin* to *n**lin* inst*n**-l*v*l writ*rs. T*is *llow** *tt**k*rs to ov*rri** *l*ss-l*v*l *on*i*ur*tions (lik* v*li**tors, s*ri*liz*tion s*ttin*s, *num m*ppin*s, *n* **ll***ks) vi* *r**t