CVE-2014-3514
First published: Wed Aug 20 2014(Updated: )
`activerecord/lib/active_record/relation/query_methods.rb` in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes `create_with` calls.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/activerecord | >=4.1.0<4.1.5 | 4.1.5 |
| rubygems/activerecord | >=4.0.0<4.0.9 | 4.0.9 |
| Rubyonrails Rails | =4.0.0 | |
| Rubyonrails Rails | =4.0.0-beta | |
| Rubyonrails Rails | =4.0.0-rc1 | |
| Rubyonrails Rails | =4.0.0-rc2 | |
| Rubyonrails Rails | =4.0.1 | |
| Rubyonrails Rails | =4.0.1-rc1 | |
| Rubyonrails Rails | =4.0.1-rc2 | |
| Rubyonrails Rails | =4.0.1-rc3 | |
| Rubyonrails Rails | =4.0.1-rc4 | |
| Rubyonrails Rails | =4.0.2 | |
| Rubyonrails Rails | =4.0.3 | |
| Rubyonrails Rails | =4.0.4 | |
| Rubyonrails Rails | =4.0.5 | |
| Rubyonrails Rails | =4.0.6 | |
| Rubyonrails Rails | =4.0.6-rc1 | |
| Rubyonrails Rails | =4.0.6-rc2 | |
| Rubyonrails Rails | =4.0.6-rc3 | |
| Rubyonrails Rails | =4.0.7 | |
| Rubyonrails Rails | =4.0.8 | |
| Rubyonrails Rails | =4.1.0 | |
| Rubyonrails Rails | =4.1.0-beta1 | |
| Rubyonrails Rails | =4.1.1 | |
| Rubyonrails Rails | =4.1.2 | |
| Rubyonrails Rails | =4.1.2-rc1 | |
| Rubyonrails Rails | =4.1.2-rc2 | |
| Rubyonrails Rails | =4.1.2-rc3 | |
| Rubyonrails Rails | =4.1.3 | |
| Rubyonrails Rails | =4.1.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2014-3514
- http://openwall.com/lists/oss-security/2014/08/18/10
- http://rhn.redhat.com/errata/RHSA-2014-1102.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2014-3514.yml
- https://groups.google.com/forum/#!msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ
- https://groups.google.com/forum/message/raw?msg=rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ
- https://github.com/advisories/GHSA-9rf5-jm6f-2fmm (Advisory)
- http://secunia.com/advisories/60347
- collector/github-advisory-latest
- alias/GHSA-9rf5-jm6f-2fmm
- alias/CVE-2014-3514
- collector/github-advisory
- collector/nvd-index
- collector/nvd-cve
- agent/references
- agent/weakness
- agent/type
- agent/event
- agent/author
- agent/severity
- agent/description
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/rubygems
- vendor/rubyonrails
- canonical/rubyonrails rails
- version/rubyonrails rails/4.0.0
- version/rubyonrails rails/4.0.0-beta
- version/rubyonrails rails/4.0.0-rc1
- version/rubyonrails rails/4.0.0-rc2
- version/rubyonrails rails/4.0.1
- version/rubyonrails rails/4.0.1-rc1
- version/rubyonrails rails/4.0.1-rc2
- version/rubyonrails rails/4.0.1-rc3
- version/rubyonrails rails/4.0.1-rc4
- version/rubyonrails rails/4.0.2
- version/rubyonrails rails/4.0.3
- version/rubyonrails rails/4.0.4
- version/rubyonrails rails/4.0.5
- version/rubyonrails rails/4.0.6
- version/rubyonrails rails/4.0.6-rc1
- version/rubyonrails rails/4.0.6-rc2
- version/rubyonrails rails/4.0.6-rc3
- version/rubyonrails rails/4.0.7
- version/rubyonrails rails/4.0.8
- version/rubyonrails rails/4.1.0
- version/rubyonrails rails/4.1.0-beta1
- version/rubyonrails rails/4.1.1
- version/rubyonrails rails/4.1.2
- version/rubyonrails rails/4.1.2-rc1
- version/rubyonrails rails/4.1.2-rc2
- version/rubyonrails rails/4.1.2-rc3
- version/rubyonrails rails/4.1.3
- version/rubyonrails rails/4.1.4