CVE-2014-3514Improper Access Control in Project Activerecord

CWE-264CWE-284Improper Access ControlCWE-88Argument Injection9 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.3%
top 43.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Rubyonrails RailsActiverecord Project Activerecord
Timeline
PublishedAug 20
Latest updateOct 24

Description

activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

RubyGemsactiverecord_project/activerecord4.0.04.0.9+1
Debianrubyonrails/rails< 2:4.1.5-1+3
NVDrubyonrails/rails14 versions+13

🔴Vulnerability Details

4
GHSA
Active Record subject to strong parameters protection bypass2017-10-24
OSV
Active Record subject to strong parameters protection bypass2017-10-24
CVEList
CVE-2014-3514: activerecord/lib/active_record/relation/query_methods2014-08-20
OSV
CVE-2014-3514: activerecord/lib/active_record/relation/query_methods2014-08-20

📋Vendor Advisories

2
Red Hat
rubygem-activerecord: Strong Parameter bypass with create_with2014-08-18
Debian
CVE-2014-3514: rails - activerecord/lib/active_record/relation/query_methods.rb in Active Record in Rub...2014

💬Community

2
Bugzilla
CVE-2014-3514 rubygem-activerecord: Strong Parameter bypass with create_with [fedora-20]2014-08-25
Bugzilla
CVE-2014-3514 rubygem-activerecord: Strong Parameter bypass with create_with2014-08-18
CVE-2014-3514 — Improper Access Control | cvebase