Active Record subject to strong parameters protection bypass

GHSA-9rf5-jm6f-2fmm · CVE-2014-3514

Published Oct 24, 2017 · Modified Nov 29, 2024

Description

activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2014-3514
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2014-3514.yml
WEB https://groups.google.com/forum/#!msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ
WEB https://groups.google.com/forum/message/raw?msg=rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ
WEB http://openwall.com/lists/oss-security/2014/08/18/10
WEB http://rhn.redhat.com/errata/RHSA-2014-1102.html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes