ruby-rails: strong parameter bypass with create_with (CVE-2014-3514)
There is a vulnerability in the create_with method in Active Record.
This
vulnerability has been assigned the CVE identifier CVE-2014-3514.
Versions Affected: 4.0.0 and All Later Versions.
Not affected: Versions earlier than 4.0.0
Fixed Versions: 4.0.9 4.1.5
Impact
———
The create_with functionality in Active Record was implemented
incorrectly
and completely bypasses the strong parameters protection. Applications
which pass user-controlled values to create_with could allow attackers
to
set arbitrary attributes on models.
All users running an affected release should either upgrade or use one
of
the workarounds immediately.
Releases
————
The 4.0.9 and 4.1.5 releases are available at the normal locations.
References:
CONFIRM: http://seclists.org/oss-sec/2014/q3/402
(from redmine: issue id 3331, created on 2014-08-27, closed on 2014-12-10)
- Relations:
- child #3332 (closed)
- child #3333 (closed)