---
gem: activerecord
framework: rails
cve: 2014-3514
url: https://groups.google.com/forum/#!msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ
title: Data Injection Vulnerability in Active Record 
date: 2014-08-18

description: >-
  The create_with functionality in Active Record was implemented
  incorrectly and completely bypasses the strong parameters
  protection. Applications which pass user-controlled values to
  create_with could allow attackers to set arbitrary attributes on
  models.
  
cvss_v2: 8.7

unaffected_versions:
  - "< 4.0.0"

patched_versions:
  - ~> 4.0.9 
  - ">= 4.1.5"