製品・ソフトウェアに関する情報

JVN脆弱性詳細

Ruby on Rails の Active Record の activerecord/lib/active_record/nested_attributes.rb における変更制限を回避される脆弱性

タイトル	Ruby on Rails の Active Record の activerecord/lib/active_record/nested_attributes.rb における変更制限を回避される脆弱性
概要	Ruby on Rails の Active Record の activerecord/lib/active_record/nested_attributes.rb は、特定の destroy オプションを適切に実装していないため、変更制限を回避される脆弱性が存在します。補足情報 : CWE による脆弱性タイプは、CWE-284: Improper Access Control (不適切なアクセス制御) と識別されています。 http://cwe.mitre.org/data/definitions/284.html
想定される影響	第三者により、ネストされた属性の機能の使用を利用されることで、変更制限を回避される可能性があります。
対策	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
公表日	2015年11月27日0:00
登録日	2016年3月15日14:33
最終更新日	2016年3月15日14:33

CVSS2.0 : 警告
スコア	5
ベクター	AV:N/AC:L/Au:N/C:N/I:P/A:N

影響を受けるシステム

Ruby on Rails project

Rails 3.1.x

Rails 3.2.22.1 未満の 3.2.x

Rails 4.0.x

Rails 4.1.14.1 未満の 4.1.x

Rails 4.2.5.1 未満の 4.2.x

Rails 5.0.0.beta1.1 未満の 5.x

CVE (情報セキュリティ共通脆弱性識別子)

No	名前	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2015-7577	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7577
National Vulnerability Database (NVD)
2	CVE-2015-7577	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7577

CWE (共通脆弱性タイプ一覧)

No	名前	URL
JVNDB
1	CWE-Other	https://www.ipa.go.jp/security/vuln/CWE.html#CWEOther

ベンダー情報

No	名前	URL
Google Groups
1	[CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.	https://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ

変更履歴

No	変更内容	変更日
0	[2016年03月15日] 掲載	2018年2月17日10:37

NVD脆弱性情報

CVE-2015-7577

概要	activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.
公表日	2016年2月16日11:59
登録日	2021年1月26日14:56
最終更新日	2024年11月21日11:37

影響を受けるソフトウェアの構成

構成1	以上	以下	より上	未満
cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:::::::*
cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:rc1::::::
cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.12:::::::*
cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10:rc2::::::
cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11.1:::::::*
cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11:::::::*
cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.11:::::::*
cpe:2.3:a:rubyonrails:ruby_on_rails::::::::		3.2.22
cpe:2.3:a:rubyonrails:rails:4.0.0:-::::::
cpe:2.3:a:rubyonrails:rails:4.0.1:-::::::
cpe:2.3:a:rubyonrails:rails:4.0.2:::::::*
cpe:2.3:a:rubyonrails:rails:4.0.6:rc3::::::
cpe:2.3:a:rubyonrails:rails:4.1.0:beta1::::::
cpe:2.3:a:rubyonrails:rails:4.1.0:beta2::::::
cpe:2.3:a:rubyonrails:rails:4.1.0:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.1.0:rc2::::::
cpe:2.3:a:rubyonrails:rails:4.1.2:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.1.2:rc2::::::
cpe:2.3:a:rubyonrails:rails:4.1.2:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.2:rc3::::::
cpe:2.3:a:rubyonrails:rails:4.1.6:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.1.6:rc2::::::
cpe:2.3:a:rubyonrails:rails:4.1.6:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.9:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.9:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.1.10:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.1.10:rc2::::::
cpe:2.3:a:rubyonrails:rails:4.1.10:rc3::::::
cpe:2.3:a:rubyonrails:rails:4.1.10:rc4::::::
cpe:2.3:a:rubyonrails:rails:4.1.10:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.12:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.12:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.1.13:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.13:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.1.14:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.1.14:rc2::::::
cpe:2.3:a:rubyonrails:rails:4.1.14:::::::*
cpe:2.3:a:rubyonrails:rails:4.2.0:beta1::::::
cpe:2.3:a:rubyonrails:rails:4.2.0:beta2::::::
cpe:2.3:a:rubyonrails:rails:4.2.0:beta3::::::
cpe:2.3:a:rubyonrails:rails:4.2.0:beta4::::::
cpe:2.3:a:rubyonrails:rails:4.2.0:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.2.0:rc2::::::
cpe:2.3:a:rubyonrails:rails:4.2.0:rc3::::::
cpe:2.3:a:rubyonrails:rails:4.2.0:::::::*
cpe:2.3:a:rubyonrails:rails:4.2.1:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.2.1:rc2::::::
cpe:2.3:a:rubyonrails:rails:4.2.1:rc3::::::
cpe:2.3:a:rubyonrails:rails:4.2.1:::::::*
cpe:2.3:a:rubyonrails:rails:4.2.1:rc4::::::
cpe:2.3:a:rubyonrails:rails:4.2.3:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.2.3:::::::*
cpe:2.3:a:rubyonrails:rails:4.2.4:::::::*
cpe:2.3:a:rubyonrails:rails:4.2.4:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.2.5:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.2.5:rc2::::::
cpe:2.3:a:rubyonrails:rails:4.2.5:::::::*
cpe:2.3:a:rubyonrails:rails:5.0.0:beta1::::::
cpe:2.3:a:rubyonrails:rails:4.0.7:::::::*
cpe:2.3:a:rubyonrails:rails:4.0.8:::::::*
cpe:2.3:a:rubyonrails:rails:4.0.9:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.1:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.3:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.4:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.5:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.7:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.7.1:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.8:::::::*
cpe:2.3:a:rubyonrails:rails:4.2.2:::::::*
cpe:2.3:a:rubyonrails:rails:4.0.0:beta::::::
cpe:2.3:a:rubyonrails:rails:4.0.0:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.0.0:rc2::::::
cpe:2.3:a:rubyonrails:rails:4.0.1:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.0.1:rc2::::::
cpe:2.3:a:rubyonrails:rails:4.0.1:rc3::::::
cpe:2.3:a:rubyonrails:rails:4.0.1:rc4::::::
cpe:2.3:a:rubyonrails:rails:4.0.4:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.0.4:::::::*
cpe:2.3:a:rubyonrails:rails:4.0.6:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.0.6:::::::*
cpe:2.3:a:rubyonrails:rails:4.0.6:rc2::::::
cpe:2.3:a:rubyonrails:rails:4.0.3:::::::*
cpe:2.3:a:rubyonrails:rails:4.0.5:::::::*
cpe:2.3:a:rubyonrails:rails:4.0.10:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.0.10:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.0:-::::::

構成1	以上	以下	より上	未満
cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:::::::*
cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:rc1::::::
cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.12:::::::*
cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10:rc2::::::
cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11.1:::::::*
cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11:::::::*
cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.11:::::::*
cpe:2.3:a:rubyonrails:ruby_on_rails::::::::		3.2.22
cpe:2.3:a:rubyonrails:rails:4.0.0:-::::::
cpe:2.3:a:rubyonrails:rails:4.0.1:-::::::
cpe:2.3:a:rubyonrails:rails:4.0.2:::::::*
cpe:2.3:a:rubyonrails:rails:4.0.6:rc3::::::
cpe:2.3:a:rubyonrails:rails:4.1.0:beta1::::::
cpe:2.3:a:rubyonrails:rails:4.1.0:beta2::::::
cpe:2.3:a:rubyonrails:rails:4.1.0:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.1.0:rc2::::::
cpe:2.3:a:rubyonrails:rails:4.1.2:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.1.2:rc2::::::
cpe:2.3:a:rubyonrails:rails:4.1.2:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.2:rc3::::::
cpe:2.3:a:rubyonrails:rails:4.1.6:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.1.6:rc2::::::
cpe:2.3:a:rubyonrails:rails:4.1.6:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.9:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.9:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.1.10:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.1.10:rc2::::::
cpe:2.3:a:rubyonrails:rails:4.1.10:rc3::::::
cpe:2.3:a:rubyonrails:rails:4.1.10:rc4::::::
cpe:2.3:a:rubyonrails:rails:4.1.10:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.12:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.12:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.1.13:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.13:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.1.14:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.1.14:rc2::::::
cpe:2.3:a:rubyonrails:rails:4.1.14:::::::*
cpe:2.3:a:rubyonrails:rails:4.2.0:beta1::::::
cpe:2.3:a:rubyonrails:rails:4.2.0:beta2::::::
cpe:2.3:a:rubyonrails:rails:4.2.0:beta3::::::
cpe:2.3:a:rubyonrails:rails:4.2.0:beta4::::::
cpe:2.3:a:rubyonrails:rails:4.2.0:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.2.0:rc2::::::
cpe:2.3:a:rubyonrails:rails:4.2.0:rc3::::::
cpe:2.3:a:rubyonrails:rails:4.2.0:::::::*
cpe:2.3:a:rubyonrails:rails:4.2.1:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.2.1:rc2::::::
cpe:2.3:a:rubyonrails:rails:4.2.1:rc3::::::
cpe:2.3:a:rubyonrails:rails:4.2.1:::::::*
cpe:2.3:a:rubyonrails:rails:4.2.1:rc4::::::
cpe:2.3:a:rubyonrails:rails:4.2.3:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.2.3:::::::*
cpe:2.3:a:rubyonrails:rails:4.2.4:::::::*
cpe:2.3:a:rubyonrails:rails:4.2.4:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.2.5:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.2.5:rc2::::::
cpe:2.3:a:rubyonrails:rails:4.2.5:::::::*
cpe:2.3:a:rubyonrails:rails:5.0.0:beta1::::::
cpe:2.3:a:rubyonrails:rails:4.0.7:::::::*
cpe:2.3:a:rubyonrails:rails:4.0.8:::::::*
cpe:2.3:a:rubyonrails:rails:4.0.9:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.1:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.3:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.4:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.5:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.7:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.7.1:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.8:::::::*
cpe:2.3:a:rubyonrails:rails:4.2.2:::::::*
cpe:2.3:a:rubyonrails:rails:4.0.0:beta::::::
cpe:2.3:a:rubyonrails:rails:4.0.0:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.0.0:rc2::::::
cpe:2.3:a:rubyonrails:rails:4.0.1:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.0.1:rc2::::::
cpe:2.3:a:rubyonrails:rails:4.0.1:rc3::::::
cpe:2.3:a:rubyonrails:rails:4.0.1:rc4::::::
cpe:2.3:a:rubyonrails:rails:4.0.4:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.0.4:::::::*
cpe:2.3:a:rubyonrails:rails:4.0.6:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.0.6:::::::*
cpe:2.3:a:rubyonrails:rails:4.0.6:rc2::::::
cpe:2.3:a:rubyonrails:rails:4.0.3:::::::*
cpe:2.3:a:rubyonrails:rails:4.0.5:::::::*
cpe:2.3:a:rubyonrails:rails:4.0.10:rc1::::::
cpe:2.3:a:rubyonrails:rails:4.0.10:::::::*
cpe:2.3:a:rubyonrails:rails:4.1.0:-::::::

No	URL	refsource	タグ
1	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html
2	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html
3	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html
4	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html
5	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
6	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
7	http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
8	http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
9	http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
10	http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
11	http://rhn.redhat.com/errata/RHSA-2016-0296.html
12	http://rhn.redhat.com/errata/RHSA-2016-0296.html
13	http://www.debian.org/security/2016/dsa-3464
14	http://www.debian.org/security/2016/dsa-3464
15	http://www.openwall.com/lists/oss-security/2016/01/25/10
16	http://www.openwall.com/lists/oss-security/2016/01/25/10
17	http://www.securityfocus.com/bid/81806
18	http://www.securityfocus.com/bid/81806
19	http://www.securitytracker.com/id/1034816
20	http://www.securitytracker.com/id/1034816
21	https://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ
22	https://groups.google.com/forum/message/raw?msg=ruby-security-ann/cawsWcQ6c8g/LATIsglZEgAJ