製品・ソフトウェアに関する情報

JVN脆弱性詳細

Ruby on Rails の Active Model における検証手順を回避される脆弱性

Title	Ruby on Rails の Active Model における検証手順を回避される脆弱性
Summary	Ruby on Rails の Active Model は、クラスアクセサのインスタンスレベルの writer の使用をサポートするため、検証手順を回避される脆弱性が存在します。
Possible impacts	第三者により、巧妙に細工されたパラメータを介して、検証手順を回避される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Jan. 25, 2016, midnight
Registration Date	March 11, 2016, 6:17 p.m.
Last Update	March 11, 2016, 6:17 p.m.

CVSS2.0 : 警告
Score	5
Vector	AV:N/AC:L/Au:N/C:N/I:P/A:N

Affected System

Ruby on Rails project

Rails 4.1.14.1 未満の 4.1.x

Rails 4.2.5.1 未満の 4.2.x

Rails 5.0.0.beta1.1 未満の 5.x

Rails 4.1.14.1 未満の 4.1.x

Rails 4.2.5.1 未満の 4.2.x

Rails 5.0.0.beta1.1 未満の 5.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2016-0753	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0753
2	CVE-2016-0753	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0753
National Vulnerability Database (NVD)
3	CVE-2016-0753	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0753
4	CVE-2016-0753	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0753

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html
2	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
Google Groups
1	[CVE-2016-0753] Possible Input Validation Circumvention in Active Model	https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ
2	[CVE-2016-0753] Possible Input Validation Circumvention in Active Model	https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ
Ruby on Rails project
3	Top Page	http://rubyonrails.org/
4	Top Page	http://rubyonrails.org/

Change Log

No	Changed Details	Date of change
0	[2016年03月11日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2016-0753

Summary	Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.
Publication Date	Feb. 16, 2016, 11:59 a.m.
Registration Date	Jan. 26, 2021, 2:04 p.m.
Last Update	Nov. 21, 2024, 11:42 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:rubyonrails:rails:5.0.0:beta1::::::
cpe:2.3:a:rubyonrails:rails::::::::	4.1.0			4.1.14.1
cpe:2.3:a:rubyonrails:rails::::::::	4.2.0			4.2.5.1

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:8.0:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:22:::::::*
cpe:2.3:o:fedoraproject:fedora:23:::::::*

Configuration4		or higher	or less	more than	less than
cpe:2.3:o:opensuse:leap:42.1:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html	Mailing List Third Party Advisory
2	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html	Mailing List Third Party Advisory
3	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html	Mailing List Third Party Advisory
4	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html	Mailing List Third Party Advisory
5	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html	Mailing List Third Party Advisory
6	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html	Mailing List Third Party Advisory
7	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html	Mailing List Third Party Advisory
8	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html	Mailing List Third Party Advisory
9	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178066.html	Mailing List Third Party Advisory
10	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178066.html	Mailing List Third Party Advisory
11	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html	Mailing List Third Party Advisory
12	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html	Mailing List Third Party Advisory
13	http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html	Mailing List Third Party Advisory
14	http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html	Mailing List Third Party Advisory
15	http://rhn.redhat.com/errata/RHSA-2016-0296.html	Third Party Advisory
16	http://rhn.redhat.com/errata/RHSA-2016-0296.html	Third Party Advisory
17	http://www.debian.org/security/2016/dsa-3464	Third Party Advisory
18	http://www.debian.org/security/2016/dsa-3464	Third Party Advisory
19	http://www.openwall.com/lists/oss-security/2016/01/25/14	Mailing List Third Party Advisory
20	http://www.openwall.com/lists/oss-security/2016/01/25/14	Mailing List Third Party Advisory
21	http://www.securityfocus.com/bid/82247	Broken Link Third Party Advisory VDB Entry
22	http://www.securityfocus.com/bid/82247	Broken Link Third Party Advisory VDB Entry
23	http://www.securitytracker.com/id/1034816	Broken Link Third Party Advisory VDB Entry
24	http://www.securitytracker.com/id/1034816	Broken Link Third Party Advisory VDB Entry
25	https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ	Broken Link
26	https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ	Broken Link

Common Vulnerabilities List