Versions Affected: 3.0.0, 2.3.9
Not affected: Versions earlier than 2.3.9 and applications which
do not use accepts_nested_attributes_for
Fixed Versions: 3.0.1, 2.3.10
An attacker could change parameter names for form inputs and make
changes to arbitrary records in the system. All users running an
affected release should upgrade immediately.
The 3.0.1 and 2.3.10 releases are available at the normal locations.
The 3.0.1 release consists solely of 3.0.0 with the security issue
fixed, 3.0.2 will follow shortly and include other bugfixes as well as
this fix. 2.3.10 is a regular release in the 2.3 series.
There are no feasible workarounds for this issue.
To aid users who aren't able to upgrade immediately we have provided
patches for the two supported release series. They are in git-am format
and consist of a single changeset.
* 2-3-nested_attributes.patch - Patch for 2.3 series
* 3-0-nested_attributes.patch - Patch for 3.0 series
Please note that only the 2.3.x and 3.0.x series are supported at
present. Users of earlier unsupported releases are advised to upgrade
as soon as possible.
Thanks to Matti Paksula and Juha Suuraho of Enemy & Sons Ltd for
reporting the vulnerability to us and helping verify the fix.