There is a vulnerability in the nested attributes handling code in some versions of Ruby on Rails. An attacker could manipulate form parameters and make changes to records other than those the developer intended. This vulnerability has been assigned the identifier CVE-2010-3933.
- Versions Affected: 3.0.0, 2.3.9
- Not affected: Versions earlier than 2.3.9 and applications which do not use accepts_nested_attributes_for
- Fixed Versions: 3.0.1, 2.3.10
An attacker could change parameter names for form inputs and make changes to arbitrary records in the system. All users running an affected release should upgrade immediately.
The 3.0.1 and 2.3.10 releases are available at the normal locations. The 3.0.1 release consists solely of 3.0.0 with the security issue fixed, 3.0.2 will follow shortly and include other bugfixes as well as this fix. 2.3.10 is a regular release in the 2.3 series.
There are no feasible workarounds for this issue.
To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
Please note that only the 2.3.x and 3.0.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible.
Thanks to Matti Paksula and Juha Suuraho of Enemy & Sons Ltd for reporting the vulnerability to us and helping verify the fix.