SYM_RB_0026 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improperly Controlled Modification of Dynamically-Determined Object Attributes
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using create_with without restricting which parameters are allowed bypasses strong parameter protection in Ruby on Rails. This means attackers could set any attribute on your models, including sensitive fields you did not intend to expose.
Impact
If exploited, an attacker could manipulate or overwrite critical data by setting unexpected model attributes, potentially leading to privilege escalation, unauthorized data changes, or system compromise. This undermines application integrity and could expose sensitive information or disrupt operations.