Justin Coyne

**Name of the Vulnerable Software and Affected Versions** Ruby on Rails versions 3.1.x through 3.2.x before 3.2.22.1 Ruby on Rails versions 4.0.x through 4.1.x before 4.1.14.1 Ruby on Rails versions 4.2.x before 4.2.5.1 Ruby on Rails versions 5.x before 5.0.0.beta1.1 **Description** The issue is related to the `activerecord/lib/active record/nested attributes.rb` file in Active Record in Ruby on Rails, which does not properly implement a certain destroy option. This allows remote attackers to bypass intended change restrictions by leveraging the use of the nested attributes feature. The vulnerability is associated with inadequate access control, enabling a remote attacker to circumvent existing access restriction policies by utilizing nested attributes. **Recommendations** For Ruby on Rails versions 3.1.x through 3.2.x before 3.2.22.1, update to version 3.2.22.1 or later. For Ruby on Rails versions 4.0.x through 4.1.x before 4.1.14.1, update to version 4.1.14.1 or later. For Ruby on Rails versions 4.2.x before 4.2.5.1, update to version 4.2.5.1 or later. For Ruby on Rails versions 5.x before 5.0.0.beta1.1, update to version 5.0.0.beta1.1 or later.