- Versions Affected: 3.0.0, 2.3.9
- Not affected: Versions earlier than 2.3.9 and applications which do not use accepts_nested_attributes_for
- Fixed Versions: 3.0.1, 2.3.10
Impact
An attacker could change parameter names for form inputs and make changes to arbitrary records in the system. All users running an affected release should upgrade immediately.Releases
The 3.0.1 and 2.3.10 releases are available at the normal locations. The 3.0.1 release consists solely of 3.0.0 with the security issue fixed, 3.0.2 will follow shortly and include other bugfixes as well as this fix. 2.3.10 is a regular release in the 2.3 series.Workarounds
There are no feasible workarounds for this issue.Patches
To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.Please note that only the 2.3.x and 3.0.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible.
Credits
Thanks to Matti Paksula and Juha Suuraho of Enemy & Sons Ltd for reporting the vulnerability to us and helping verify the fix.For Free consultation on regarding RoR Installation, RoR Developers, RoR Development, ROR Programmer log on to http://www.dckap.com
Source: http://weblog.rubyonrails.org/
0 comments:
Post a Comment