Lucene search

GitHub Advisory DatabaseGHSA-9RF5-JM6F-2FMM

HistoryOct 24, 2017 - 6:33 p.m.

Active Record subject to strong parameters protection bypass

2017-10-2418:33:36

CWE-284

GitHub Advisory Database

github.com

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.007 Low

EPSS

Percentile

80.9%

JSON

activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.

Affected configurations

Vulners

Node

activerecord_projectactiverecordRange<4.1.5ruby

activerecord_projectactiverecordRange<4.0.9ruby

CPENameOperatorVersion
activerecordlt4.1.5
activerecordlt4.0.9

CPE	Name	Operator	Version
	activerecord	lt	4.1.5
	activerecord	lt	4.0.9

References

openwall.com/lists/oss-security/2014/08/18/10

rhn.redhat.com/errata/RHSA-2014-1102.html

github.com/advisories/GHSA-9rf5-jm6f-2fmm

github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2014-3514.yml

groups.google.com/forum/#!msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ

groups.google.com/forum/message/raw?msg=rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ

nvd.nist.gov/vuln/detail/CVE-2014-3514

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.007 Low

EPSS

Percentile

80.9%

JSON

Related for GHSA-9RF5-JM6F-2FMM