RubySec

Providing security resources for the Ruby community

CVE-2014-3514 (activerecord): Data Injection Vulnerability in Active Record

ADVISORIES

GEM

activerecord

FRAMEWORK

rails

SEVERITY

CVSS v2: 8.7

UNAFFECTED VERSIONS

  • < 4.0.0

PATCHED VERSIONS

  • ~> 4.0.9
  • >= 4.1.5

DESCRIPTION

The create_with functionality in Active Record was implemented incorrectly and completely bypasses the strong parameters protection. Applications which pass user-controlled values to create_with could allow attackers to set arbitrary attributes on models.