CVE-2014-3514
Ruby on Rails Active Record 4.0.0-4.0.8 - Strong Parameters Protection Bypass via create_with
Title source: llmDescription
activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.
References (4)
Core 4
Core References
Mailing List mailing-list
x_refsource_mlist
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/60347
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2014/08/18/10
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-1102.html
Scores
EPSS
0.0033
EPSS Percentile
56.1%
Details
CWE
CWE-264
Status
published
Products (15)
rubygems/activerecord
4.0.0 - 4.0.9RubyGems
rubyonrails/rails
4.0.0 (4 CPE variants)
rubyonrails/rails
4.0.1 (5 CPE variants)
rubyonrails/rails
4.0.2
rubyonrails/rails
4.0.3
rubyonrails/rails
4.0.4
rubyonrails/rails
4.0.5
rubyonrails/rails
4.0.6 (4 CPE variants)
rubyonrails/rails
4.0.7
rubyonrails/rails
4.0.8
... and 5 more
Published
Aug 20, 2014
Tracked Since
Feb 18, 2026