VYPR
Get started
← All advisories
Medium severity5.3NVD Advisory· Published Feb 16, 2016· Updated May 6, 2026

CVE-2015-7577

CVE-2015-7577

Description

activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
activerecordRubyGems
>= 3.1.0, < 3.2.22.13.2.22.1
activerecordRubyGems
>= 4.0.0, < 4.1.14.14.1.14.1
activerecordRubyGems
>= 4.2.0, < 4.2.5.14.2.5.1
activerecordRubyGems
>= 5.0.0.beta1, < 5.0.0.beta1.15.0.0.beta1.1

Affected products

86
  • Rubyonrails/Rails78 versions
    cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*+ 77 more
    • cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.10:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.12:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.13:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.14:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.9:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*
  • Rubyonrails/Ruby On Rails8 versions
    cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*+ 7 more
    • cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*range: <=3.2.22
    • cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10:rc2:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:rc1:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.11:*:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

15

News mentions

0

No linked articles in our index yet.