cvelistv5 - cve-2010-3933

CVE-2010-3933 (GCVE-0-2010-3933)

Vulnerability from cvelistv5 – Published: 2010-10-27 22:00 – Updated: 2024-09-16 20:42

Summary

Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	http://www.vupen.com/english/advisories/2010/2719	vdb-entryx_refsource_VUPEN
	http://secunia.com/advisories/41930	third-party-advisoryx_refsource_SECUNIA
	http://securitytracker.com/id?1024624	vdb-entryx_refsource_SECTRACK
	http://weblog.rubyonrails.org/2010/10/15/security…	x_refsource_CONFIRM

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T03:26:12.219Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "ADV-2010-2719",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2010/2719"
          },
          {
            "name": "41930",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/41930"
          },
          {
            "name": "1024624",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://securitytracker.com/id?1024624"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2010-10-27T22:00:00Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "ADV-2010-2719",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2010/2719"
        },
        {
          "name": "41930",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/41930"
        },
        {
          "name": "1024624",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://securitytracker.com/id?1024624"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2010-3933",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "ADV-2010-2719",
              "refsource": "VUPEN",
              "url": "http://www.vupen.com/english/advisories/2010/2719"
            },
            {
              "name": "41930",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/41930"
            },
            {
              "name": "1024624",
              "refsource": "SECTRACK",
              "url": "http://securitytracker.com/id?1024624"
            },
            {
              "name": "http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0",
              "refsource": "CONFIRM",
              "url": "http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2010-3933",
    "datePublished": "2010-10-27T22:00:00Z",
    "dateReserved": "2010-10-12T00:00:00Z",
    "dateUpdated": "2024-09-16T20:42:14.245Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E3BE7DFE-BA20-434B-A1DE-AD038B255C60\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.\"}, {\"lang\": \"es\", \"value\": \"Ruby on Rails v2.3.9 y v3.0.0 no controla correctamente los atributos anidados, lo cual permite a atacantes remotos modificar registros a su elecci\\u00f3n, cambiando los nombres de los par\\u00e1metros por formularios de entrada.\"}]",
      "id": "CVE-2010-3933",
      "lastModified": "2024-11-21T01:19:55.633",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:P/A:P\", \"baseScore\": 6.4, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2010-10-28T00:00:05.673",
      "references": "[{\"url\": \"http://secunia.com/advisories/41930\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://securitytracker.com/id?1024624\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.vupen.com/english/advisories/2010/2719\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/41930\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://securitytracker.com/id?1024624\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.vupen.com/english/advisories/2010/2719\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2010-3933\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2010-10-28T00:00:05.673\",\"lastModified\":\"2025-04-11T00:51:21.963\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.\"},{\"lang\":\"es\",\"value\":\"Ruby on Rails v2.3.9 y v3.0.0 no controla correctamente los atributos anidados, lo cual permite a atacantes remotos modificar registros a su elecci\u00f3n, cambiando los nombres de los par\u00e1metros por formularios de entrada.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:P\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E3BE7DFE-BA20-434B-A1DE-AD038B255C60\"}]}]}],\"references\":[{\"url\":\"http://secunia.com/advisories/41930\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://securitytracker.com/id?1024624\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.vupen.com/english/advisories/2010/2719\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/41930\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://securitytracker.com/id?1024624\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.vupen.com/english/advisories/2010/2719\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

GHSA-GJXW-5W2Q-7GRF

Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2023-05-26 16:50

Summary

Rails activerecord gem has Improper Input Validation vulnerability

Details

Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "activerecord"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.9"
            },
            {
              "fixed": "2.3.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "activerecord"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2010-3933"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:37:34Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.",
  "id": "GHSA-gjxw-5w2q-7grf",
  "modified": "2023-05-26T16:50:51Z",
  "published": "2017-10-24T18:33:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3933"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/2d96bccb1e8b62e3e11ca0c5d38aaa8cece889ae"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/96183e0f284bab27667e5a38fa6a1578eb029585"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rails/rails"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2010-3933.yml"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20101129225633/http://securitytracker.com/alerts/2010/Oct/1024624.html"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20111225083933/http://secunia.com/advisories/41930"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20201208053819/http://securitytracker.com/id?1024624"
    },
    {
      "type": "WEB",
      "url": "http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Rails activerecord gem has Improper Input Validation vulnerability"
}

FKIE_CVE-2010-3933

Vulnerability from fkie_nvd - Published: 2010-10-28 00:00 - Updated: 2025-04-11 00:51

Severity ?

Summary

Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.

References

URL	Tags
cve@mitre.org	http://secunia.com/advisories/41930	Vendor Advisory
cve@mitre.org	http://securitytracker.com/id?1024624
cve@mitre.org	http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0	Vendor Advisory
cve@mitre.org	http://www.vupen.com/english/advisories/2010/2719	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/41930	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://securitytracker.com/id?1024624
af854a3a-2127-422b-91ae-364da2661108	http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.vupen.com/english/advisories/2010/2719	Vendor Advisory

Impacted products

	Vendor	Product	Version
	rubyonrails	rails	2.3.9
	rubyonrails	rails	3.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "AF3ED96F-3EA4-4E47-A559-9DF9A7D3DDE2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E3BE7DFE-BA20-434B-A1DE-AD038B255C60",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs."
    },
    {
      "lang": "es",
      "value": "Ruby on Rails v2.3.9 y v3.0.0 no controla correctamente los atributos anidados, lo cual permite a atacantes remotos modificar registros a su elecci\u00f3n, cambiando los nombres de los par\u00e1metros por formularios de entrada."
    }
  ],
  "id": "CVE-2010-3933",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.4,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2010-10-28T00:00:05.673",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/41930"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://securitytracker.com/id?1024624"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.vupen.com/english/advisories/2010/2719"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/41930"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://securitytracker.com/id?1024624"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.vupen.com/english/advisories/2010/2719"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CERTA-2010-AVI-512

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité présente dans Ruby on Rails permet à un utilisateur distant de porter atteinte à la confidentialité et l'intégrité des données.

Description

Une vulnérabilité relative à la gestion des paramètres de formulaires dans Ruby on Rails permet à un utilisateur distant malintentionné de porter atteinte à la confidentialité et l'intégrité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Ruby on Rails	Ruby on Rails	Ruby on Rails version 2.3.9.
	Ruby on Rails	Ruby on Rails	Ruby on Rails version 3.0.0 ;

References

Title

Publication Time

Tags

Bulletin de sécurité Ruby on Rails du 14 octobre 2010

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Ruby on Rails version 2.3.9.",
      "product": {
        "name": "Ruby on Rails",
        "vendor": {
          "name": "Ruby on Rails",
          "scada": false
        }
      }
    },
    {
      "description": "Ruby on Rails version 3.0.0 ;",
      "product": {
        "name": "Ruby on Rails",
        "vendor": {
          "name": "Ruby on Rails",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\nUne vuln\u00e9rabilit\u00e9 relative \u00e0 la gestion des param\u00e8tres de formulaires\ndans Ruby on Rails permet \u00e0 un utilisateur distant malintentionn\u00e9 de\nporter atteinte \u00e0 la confidentialit\u00e9 et l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2010-3933",
      "url": "https://www.cve.org/CVERecord?id=CVE-2010-3933"
    }
  ],
  "links": [],
  "reference": "CERTA-2010-AVI-512",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2010-10-22T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 pr\u00e9sente dans Ruby on Rails permet \u00e0 un utilisateur\ndistant de porter atteinte \u00e0 la confidentialit\u00e9 et l\u0027int\u00e9grit\u00e9 des\ndonn\u00e9es.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Ruby on Rails",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails du 14 octobre 2010",
      "url": "http://groups.google.com/group/rubyonrails-security/browse_thread/f9f913d328dafe0c?pli=1"
    }
  ]
}

CERTA-2010-AVI-512

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité présente dans Ruby on Rails permet à un utilisateur distant de porter atteinte à la confidentialité et l'intégrité des données.

Description

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Ruby on Rails	Ruby on Rails	Ruby on Rails version 2.3.9.
	Ruby on Rails	Ruby on Rails	Ruby on Rails version 3.0.0 ;

References

Title

Publication Time

Tags

Bulletin de sécurité Ruby on Rails du 14 octobre 2010

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Ruby on Rails version 2.3.9.",
      "product": {
        "name": "Ruby on Rails",
        "vendor": {
          "name": "Ruby on Rails",
          "scada": false
        }
      }
    },
    {
      "description": "Ruby on Rails version 3.0.0 ;",
      "product": {
        "name": "Ruby on Rails",
        "vendor": {
          "name": "Ruby on Rails",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\nUne vuln\u00e9rabilit\u00e9 relative \u00e0 la gestion des param\u00e8tres de formulaires\ndans Ruby on Rails permet \u00e0 un utilisateur distant malintentionn\u00e9 de\nporter atteinte \u00e0 la confidentialit\u00e9 et l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2010-3933",
      "url": "https://www.cve.org/CVERecord?id=CVE-2010-3933"
    }
  ],
  "links": [],
  "reference": "CERTA-2010-AVI-512",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2010-10-22T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 pr\u00e9sente dans Ruby on Rails permet \u00e0 un utilisateur\ndistant de porter atteinte \u00e0 la confidentialit\u00e9 et l\u0027int\u00e9grit\u00e9 des\ndonn\u00e9es.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Ruby on Rails",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails du 14 octobre 2010",
      "url": "http://groups.google.com/group/rubyonrails-security/browse_thread/f9f913d328dafe0c?pli=1"
    }
  ]
}

GSD-2010-3933

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.

Aliases

CVE-2010-3933

Aliases

CVE-2010-3933

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2010-3933",
    "description": "Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.",
    "id": "GSD-2010-3933",
    "references": [
      "https://www.suse.com/security/cve/CVE-2010-3933.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2010-3933"
      ],
      "details": "Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.",
      "id": "GSD-2010-3933",
      "modified": "2023-12-13T01:21:34.154596Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2010-3933",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "ADV-2010-2719",
            "refsource": "VUPEN",
            "url": "http://www.vupen.com/english/advisories/2010/2719"
          },
          {
            "name": "41930",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/41930"
          },
          {
            "name": "1024624",
            "refsource": "SECTRACK",
            "url": "http://securitytracker.com/id?1024624"
          },
          {
            "name": "http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0",
            "refsource": "CONFIRM",
            "url": "http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=2.3.9 \u003c2.3.10||\u003e=3.0.0 \u003c3.0.1",
          "affected_versions": "All versions starting from 2.3.9 before 2.3.10, all versions starting from 3.0.0 before 3.0.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
          "cwe_ids": [
            "CWE-1035",
            "CWE-20",
            "CWE-937"
          ],
          "date": "2023-05-26",
          "description": "Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.",
          "fixed_versions": [
            "2.3.10",
            "3.0.1"
          ],
          "identifier": "CVE-2010-3933",
          "identifiers": [
            "GHSA-gjxw-5w2q-7grf",
            "CVE-2010-3933"
          ],
          "not_impacted": "All versions before 2.3.9, all versions starting from 2.3.10 before 3.0.0, all versions starting from 3.0.1",
          "package_slug": "gem/activerecord",
          "pubdate": "2017-10-24",
          "solution": "Upgrade to versions 2.3.10, 3.0.1 or above.",
          "title": "Improper Input Validation",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2010-3933",
            "http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0",
            "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2010-3933.yml",
            "https://web.archive.org/web/20101129225633/http://securitytracker.com/alerts/2010/Oct/1024624.html",
            "https://github.com/rails/rails/commit/2d96bccb1e8b62e3e11ca0c5d38aaa8cece889ae",
            "https://github.com/rails/rails/commit/96183e0f284bab27667e5a38fa6a1578eb029585",
            "https://web.archive.org/web/20111225083933/http://secunia.com/advisories/41930",
            "https://web.archive.org/web/20201208053819/http://securitytracker.com/id?1024624",
            "https://github.com/advisories/GHSA-gjxw-5w2q-7grf"
          ],
          "uuid": "1930de28-9d2a-4f85-a4a2-3b85b7c58951"
        },
        {
          "affected_range": "\u003e=2.3.9 \u003c2.3.10||\u003e=3.0.0 \u003c3.0.1",
          "affected_versions": "All versions starting from 2.3.9 before 2.3.10, all versions starting from 3.0.0 before 3.0.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
          "cwe_ids": [
            "CWE-1035",
            "CWE-20",
            "CWE-937"
          ],
          "date": "2021-09-10",
          "description": "Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.",
          "fixed_versions": [
            "2.3.10",
            "3.0.1"
          ],
          "identifier": "CVE-2010-3933",
          "identifiers": [
            "GHSA-gjxw-5w2q-7grf",
            "CVE-2010-3933"
          ],
          "not_impacted": "All versions before 2.3.9, all versions starting from 2.3.10 before 3.0.0, all versions starting from 3.0.1",
          "package_slug": "gem/rails",
          "pubdate": "2017-10-24",
          "solution": "Upgrade to versions 2.3.10, 3.0.1 or above.",
          "title": "Improper Input Validation",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2010-3933",
            "https://github.com/advisories/GHSA-gjxw-5w2q-7grf",
            "http://secunia.com/advisories/41930",
            "http://securitytracker.com/id?1024624",
            "http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0",
            "http://www.vupen.com/english/advisories/2010/2719"
          ],
          "uuid": "63ea080d-441b-4403-9242-82d0289a747b"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2010-3933"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "ADV-2010-2719",
              "refsource": "VUPEN",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://www.vupen.com/english/advisories/2010/2719"
            },
            {
              "name": "http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0"
            },
            {
              "name": "1024624",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://securitytracker.com/id?1024624"
            },
            {
              "name": "41930",
              "refsource": "SECUNIA",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/41930"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.4,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2019-08-08T14:49Z",
      "publishedDate": "2010-10-28T00:00Z"
    }
  }
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2010-3933 (GCVE-0-2010-3933)

GHSA-GJXW-5W2Q-7GRF

FKIE_CVE-2010-3933

CERTA-2010-AVI-512

Description

Solution

CERTA-2010-AVI-512

Description

Solution

GSD-2010-3933

Tags

Sightings

Nomenclature