CVE-2014-3514 – activerecord

Package

Manager: gem
Name: activerecord
Vulnerable Version: >=4.0.0 <4.0.9 || >=4.1.0 <4.1.5

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00331 pctl0.55394

Details

Active Record subject to strong parameters protection bypass `activerecord/lib/active_record/relation/query_methods.rb` in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes `create_with` calls.

Metadata

Created: 2017-10-24T18:33:36Z
Modified: 2023-08-25T22:56:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-9rf5-jm6f-2fmm/GHSA-9rf5-jm6f-2fmm.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-9rf5-jm6f-2fmm
Finding: F039
Auto approve: 1