From ${URL} : Nested attributes rejection proc bypass in Active Record. There is a vulnerability in how the nested attributes feature in Active Record handles updates in combination with destroy flags when destroying records is disabled. This vulnerability has been assigned the CVE identifier CVE-2015-7577. Versions Affected: 3.1.0 and newer Not affected: 3.0.x and older Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 Impact ------ When using the nested attributes feature in Active Record you can prevent the destruction of associated records by passing the `allow_destroy: false` option to the `accepts_nested_attributes_for` method. However due to a change in the commit [a9b4b5d][1] the `_destroy` flag prevents the `:reject_if` proc from being called because it assumes that the record will be destroyed anyway. However this isn't true if `:allow_destroy` is false so this leads to changes that would have been rejected being applied to the record. Attackers could use this do things like set attributes to invalid values and to clear all of the attributes amongst other things. The severity will be dependent on how the application has used this feature. @maintainer(s): since the fixed version is already in the tree, please remove the affected versions.
Vulnerable versions for Rails 3.2, 4.1, and 4.2 have been removed.
Cleanup complete per previous comments.
