ADVISORIES

• CVE-2014-3514 (NVD)
• GHSA-9rf5-jm6f-2fmm
• Vendor Advisory

GEM

activerecord

FRAMEWORK

Ruby on Rails

SEVERITY

CVSS v2.0: 8.7 (High)

UNAFFECTED VERSIONS

• < 4.0.0

PATCHED VERSIONS

• ~> 4.0.9
• >= 4.1.5

DESCRIPTION

The create_with functionality in Active Record was implemented incorrectly and completely bypasses the strong parameters protection. Applications which pass user-controlled values to create_with could allow attackers to set arbitrary attributes on models.