{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-08-14T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-01-04T17:57:01.000Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "[rubyonrails-security] 20140818 [Ruby on Rails] [CVE-2014-3514] Strong Parameter bypass with create_with", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"}, {"name": "60347", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/60347"}, {"name": "[oss-security] 20140814 [Ruby on Rails] [CVE-2014-3514] Strong Parameter bypass with create_with", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2014/08/18/10"}, {"name": "RHSA-2014:1102", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1102.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2014-3514", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[rubyonrails-security] 20140818 [Ruby on Rails] [CVE-2014-3514] Strong Parameter bypass with create_with", "refsource": "MLIST", "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"}, {"name": "60347", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/60347"}, {"name": "[oss-security] 20140814 [Ruby on Rails] [CVE-2014-3514] Strong Parameter bypass with create_with", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2014/08/18/10"}, {"name": "RHSA-2014:1102", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-1102.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:43:06.282Z"}, "title": "CVE Program Container", "references": [{"name": "[rubyonrails-security] 20140818 [Ruby on Rails] [CVE-2014-3514] Strong Parameter bypass with create_with", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"}, {"name": "60347", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/60347"}, {"name": "[oss-security] 20140814 [Ruby on Rails] [CVE-2014-3514] Strong Parameter bypass with create_with", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://openwall.com/lists/oss-security/2014/08/18/10"}, {"name": "RHSA-2014:1102", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1102.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-3514", "datePublished": "2014-08-20T10:00:00.000Z", "dateReserved": "2014-05-14T00:00:00.000Z", "dateUpdated": "2024-08-06T10:43:06.282Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*", "matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*", "matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*", "matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*", "matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*", "matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*", "matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*", "matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "DC9E1864-B1E5-42C3-B4AF-9A002916B66D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*", "matchCriteriaId": "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*", "matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*", "matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*", "matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*", "matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls."}, {"lang": "es", "value": "activerecord/lib/active_record/relation/query_methods.rb en Active Record en Ruby on Rails 4.0.x anterior a 4.0.9 y 4.1.x anterior a 4.1.5 permite a atacantes remotos evadir el mecanismo de protecci\u00f3n de par\u00e1metros fuertes a trav\u00e9s de entradas manipuladas en una aplicaci\u00f3n que realiza llamadas create_with."}], "id": "CVE-2014-3514", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-08-20T11:17:14.483", "references": [{"source": "secalert@redhat.com", "url": "http://openwall.com/lists/oss-security/2014/08/18/10"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2014-1102.html"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/60347"}, {"source": "secalert@redhat.com", "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://openwall.com/lists/oss-security/2014/08/18/10"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2014-1102.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/60347"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2014:1102", "cpe": "cpe:/a:redhat:rhel_software_collections:1::el6", "package": "ror40-rubygem-activerecord-1:4.0.2-2.3.el6", "product_name": "Red Hat Software Collections 1 for Red Hat Enterprise Linux 6", "release_date": "2014-08-27T00:00:00Z"}, {"advisory": "RHSA-2014:1102", "cpe": "cpe:/a:redhat:rhel_software_collections:1::el6", "package": "ror40-rubygem-activerecord-1:4.0.2-2.3.el6", "product_name": "Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS", "release_date": "2014-08-27T00:00:00Z"}, {"advisory": "RHSA-2014:1102", "cpe": "cpe:/a:redhat:rhel_software_collections:1::el7", "package": "ror40-rubygem-activerecord-1:4.0.2-2.3.el7", "product_name": "Red Hat Software Collections 1 for Red Hat Enterprise Linux 7", "release_date": "2014-08-27T00:00:00Z"}], "bugzilla": {"description": "rubygem-activerecord: Strong Parameter bypass with create_with", "id": "1131240", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131240"}, "csaw": false, "cvss": {"cvss_base_score": "5.8", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "status": "verified"}, "cwe": "CWE-88", "details": ["activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.", "It was discovered that Active Record's create_with method failed to properly check attributes passed to it. A remote attacker could possibly use this flaw to bypass the strong parameter protection and modify arbitrary model attributes via mass assignment if an application using Active Record called create_with with untrusted values."], "name": "CVE-2014-3514", "package_state": [{"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Not affected", "package_name": "ruby193-rubygem-activerecord", "product_name": "CloudForms Management Engine 5"}, {"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Not affected", "package_name": "rubygem-activerecord", "product_name": "CloudForms Management Engine 5"}, {"cpe": "cpe:/a:redhat:openshift:1", "fix_state": "Not affected", "package_name": "ruby193-rubygem-activerecord", "product_name": "OpenShift Enterprise 1"}, {"cpe": "cpe:/a:redhat:openstack-installer:5", "fix_state": "Not affected", "package_name": "ruby193-rubygem-activerecord", "product_name": "OpenStack Foreman"}, {"cpe": "cpe:/a:redhat:openstack:4", "fix_state": "Not affected", "package_name": "ruby193-rubygem-activerecord", "product_name": "Red Hat OpenStack Platform 4"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:1", "fix_state": "Not affected", "package_name": "ruby193-rubygem-activerecord", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Not affected", "package_name": "ruby193-rubygem-activerecord", "product_name": "Red Hat Subscription Asset Manager"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Not affected", "package_name": "rubygem-activerecord", "product_name": "Red Hat Subscription Asset Manager"}], "public_date": "2014-08-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-3514\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-3514"], "threat_severity": "Important"}

{}