Input Validation Bypass Affecting activemodel package, versions < 5.0.0.beta1.1, >= 4.3< 4.2.5.1, >= 4.2< 4.1.14.1, > 4.0.13
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Input Validation Bypass vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-RUBY-ACTIVEMODEL-20260
- published24 Jan 2016
- disclosed24 Jan 2016
- creditJohn Backus
Introduced: 24 Jan 2016
CVE-2016-0753 (opens in a new tab)Overview
activemodel is a toolkit for building modeling framework like Active Record.
Affected versions of this Gem are vulnerable to Input Validation Bypass Attacks.
Details
Code that uses Active Model based models (including Active Record models) and does not validate user input before passing it to the model can be subject to an attack where specially crafted input will cause the model to skip validations.
Vulnerable code will look something like this:
SomeModel.new(unverified_user_input)
Rails users using Strong Parameters are generally not impacted by this issue as they are encouraged to whitelist parameters and must specifically opt-out of input verification using the permit! method to allow mass assignment.
For example, a vulnerable Rails application will have code that looks like this:
def create
params.permit! # allow all parameters
@user = User.new params[:users]
end
Active Model and Active Record objects are not equipped to handle arbitrary user input. It is up to the application to verify input before passing it to Active Model models. Rails users already have Strong Parameters in place to handle white listing, but applications using Active Model and Active Record outside of a Rails environment may be impacted.