Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2014-3514

Опубликовано: 18 авг. 2014
Источник: redhat
CVSS2: 5.8

Описание

activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.

It was discovered that Active Record's create_with method failed to properly check attributes passed to it. A remote attacker could possibly use this flaw to bypass the strong parameter protection and modify arbitrary model attributes via mass assignment if an application using Active Record called create_with with untrusted values.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
CloudForms Management Engine 5cfme-gemsetNot affected
CloudForms Management Engine 5ruby193-rubygem-activerecordNot affected
OpenShift Enterprise 1ruby193-rubygem-activerecordNot affected
OpenStack Foremanruby193-rubygem-activerecordNot affected
Red Hat OpenStack Platform 4ruby193-rubygem-activerecordNot affected
Red Hat Software Collectionsruby193-rubygem-activerecordNot affected
Red Hat Subscription Asset Managerruby193-rubygem-activerecordNot affected
Red Hat Subscription Asset Managerrubygem-activerecordNot affected
Red Hat Software Collections 1 for Red Hat Enterprise Linux 6ror40-rubygem-activerecordFixedRHSA-2014:110227.08.2014
Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUSror40-rubygem-activerecordFixedRHSA-2014:110227.08.2014

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-88
https://bugzilla.redhat.com/show_bug.cgi?id=1131240rubygem-activerecord: Strong Parameter bypass with create_with

5.8 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2014-3514

ubuntu
больше 11 лет назад

activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.

nvd логотип

CVE-2014-3514

nvd
больше 11 лет назад

activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.

debian логотип

CVE-2014-3514

debian
больше 11 лет назад

activerecord/lib/active_record/relation/query_methods.rb in Active Rec ...

github логотип

GHSA-9rf5-jm6f-2fmm

github
больше 8 лет назад

Active Record subject to strong parameters protection bypass

5.8 Medium

CVSS2