Sha256: 726d0e2c16b76d770c66b1e0704dbbd85a1731aebbc908a2a7f15c2d64675ea3

Contents?: true

Size: 597 Bytes

Versions: 6

Compression:

Stored size: 597 Bytes

Contents

---
gem: activerecord
framework: rails
cve: 2014-3514
url: https://groups.google.com/forum/#!msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ
title: Data Injection Vulnerability in Active Record 
date: 2014-08-18

description: >-
  The create_with functionality in Active Record was implemented
  incorrectly and completely bypasses the strong parameters
  protection. Applications which pass user-controlled values to
  create_with could allow attackers to set arbitrary attributes on
  models.
  
cvss_v2: 8.7

unaffected_versions:
  - "< 4.0.0"

patched_versions:
  - ~> 4.0.9 
  - ">= 4.1.5"

Version data entries

6 entries across 6 versions & 2 rubygems

Version Path
bundler-audit-0.7.0.1 data/ruby-advisory-db/gems/activerecord/CVE-2014-3514.yml
bundler-budit-0.6.2 data/ruby-advisory-db/gems/activerecord/CVE-2014-3514.yml
bundler-budit-0.6.1 data/ruby-advisory-db/gems/activerecord/CVE-2014-3514.yml
bundler-audit-0.6.1 data/ruby-advisory-db/gems/activerecord/CVE-2014-3514.yml
bundler-audit-0.6.0 data/ruby-advisory-db/gems/activerecord/CVE-2014-3514.yml
bundler-audit-0.5.0 data/ruby-advisory-db/gems/activerecord/CVE-2014-3514.yml