Moderate severityNVD Advisory· Published Oct 28, 2010· Updated Jun 16, 2026
CVE-2010-3933
CVE-2010-3933
Description
Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
activerecordRubyGems | >= 2.3.9, < 2.3.10 | 2.3.10 |
activerecordRubyGems | >= 3.0.0, < 3.0.1 | 3.0.1 |
Affected products
3cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
12- secunia.com/advisories/41930nvdVendor Advisory
- weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0nvdVendor AdvisoryWEB
- www.vupen.com/english/advisories/2010/2719nvdVendor Advisory
- github.com/advisories/GHSA-gjxw-5w2q-7grfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2010-3933ghsaADVISORY
- github.com/rails/rails/commit/2d96bccb1e8b62e3e11ca0c5d38aaa8cece889aeghsaWEB
- github.com/rails/rails/commit/96183e0f284bab27667e5a38fa6a1578eb029585ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2010-3933.ymlghsaWEB
- web.archive.org/web/20101129225633/http://securitytracker.com/alerts/2010/Oct/1024624.htmlghsaWEB
- web.archive.org/web/20111225083933/http://secunia.com/advisories/41930ghsaWEB
- web.archive.org/web/20201208053819/http://securitytracker.com/idghsaWEB
- securitytracker.com/idnvd
News mentions
0No linked articles in our index yet.