Data Injection Vulnerability in Active Record
Published: August 18, 2014
SECURITY IDENTIFIERS
- CVE: CVE-2014-3514 (NVD)
- GHSA: GHSA-9rf5-jm6f-2fmm
- Vendor Advisory: https://groups.google.com/forum/#!msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ
GEM
FRAMEWORK
SEVERITY
CVSS v2.0: 8.7 (High)
UNAFFECTED VERSIONS
< 4.0.0
PATCHED VERSIONS
~> 4.0.9
>= 4.1.5
DESCRIPTION
The create_with functionality in Active Record was implemented incorrectly and completely bypasses the strong parameters protection. Applications which pass user-controlled values to create_with could allow attackers to set arbitrary attributes on models.