Vulnerability Description
activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rubyonrails | Rails | 4.0.0 |
Related Weaknesses (CWE)
References
- http://openwall.com/lists/oss-security/2014/08/18/10
- http://rhn.redhat.com/errata/RHSA-2014-1102.html
- http://secunia.com/advisories/60347
- https://groups.google.com/forum/message/raw?msg=rubyonrails-security/M4chq5Sb540
- http://openwall.com/lists/oss-security/2014/08/18/10
- http://rhn.redhat.com/errata/RHSA-2014-1102.html
- http://secunia.com/advisories/60347
- https://groups.google.com/forum/message/raw?msg=rubyonrails-security/M4chq5Sb540
FAQ
What is CVE-2014-3514?
CVE-2014-3514 is a vulnerability with a CVSS score of 7.5 (HIGH). activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection ...
How severe is CVE-2014-3514?
CVE-2014-3514 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-3514?
Check the references section above for vendor advisories and patch information. Affected products include: Rubyonrails Rails.