Ruby on Rails update closes vulnerability
The Ruby on Rails developers have released versions 3.0.1 and 2.3.10 of the web application framework, closing a vulnerability in Rails handing of nested attributes, specifically the use of accepts_nested_attributes_for. If an application does not use accepts_nested_attributes_for or uses a version of Rails earlier than 2.3.9, then it is not affected by the issue. Where the problem does exist it allows an attacker to manipulate form inputs and make arbitrary changes to records in the system. The developers say all users running an affected release should upgrade immediately.
The 2.3.10 release is a regular release of the Rails 2.3 series, but the 3.0.1 release contains only the security fix. A 3.0.2 release is due to follow which will include other bug fixes. Patches are also available in the advisory for users who are not able to upgrade immediately. The developers thanked researchers at Enemy & Son for reporting the issue and helping to verify the fix.