Vulnerability CVE-2014-3514

Vulnerability Name:

CVE-2014-3514 (CCN-95333)

Assigned:

2014-08-18

Published:

2014-08-18

Updated:

2019-08-08

Summary:

activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-264

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2014-3514

Source: MLIST
Type: UNKNOWN
[oss-security] 20140814 [Ruby on Rails] [CVE-2014-3514] Strong Parameter bypass with create_with

Source: REDHAT
Type: UNKNOWN
RHSA-2014:1102

Source: CCN
Type: oss-security Mailing List, Mon, 18 Aug 2014 14:11:26 -0300
[Ruby on Rails] [CVE-2014-3514] Strong Parameter bypass with create_with

Source: SECUNIA
Type: UNKNOWN
60347

Source: CCN
Type: Ruby on Rails Web site
Rails 4.0.9 and 4.1.5 have been released!

Source: CCN
Type: BID-69265
Ruby on Rails 'create_with()' Function Security Bypass Vulnerability

Source: XF
Type: UNKNOWN
rubyonrails-cve20143514-sec-bypass(95333)

Source: MLIST
Type: UNKNOWN
[rubyonrails-security] 20140818 [Ruby on Rails] [CVE-2014-3514] Strong Parameter bypass with create_with

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2014-3514

Vulnerable Configuration:

Configuration 1:

cpe:/a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:rubyonrails:rails:4.1.2:-:*:*:*:*:*:*

OR cpe:/a:rubyonrails:ruby_on_rails:4.0.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20143514	V	CVE-2014-3514	2022-06-30
oval:org.opensuse.security:def:27	P	clamav-0.103.2-3.26.1 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:13	P	avahi-0.7-3.6.1 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:113364	P	ruby2.2-rubygem-railties-4_2-4.2.7.1-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:67550	P	Security update for java-1_8_0-openjdk (Important)	2021-11-23
oval:org.opensuse.security:def:55266	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:106771	P	ruby2.2-rubygem-railties-4_2-4.2.7.1-1.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:55949	P	Security update for gtk-vnc (Moderate)	2021-09-16
oval:org.opensuse.security:def:70790	P	Security update for transfig (Moderate)	2021-07-22
oval:org.opensuse.security:def:70903	P	flac-devel-1.3.2-1.29 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:55783	P	Security update for spice-gtk (Important)	2020-12-16
oval:org.opensuse.security:def:55126	P	Security update for xen (Important)	2020-12-10
oval:org.opensuse.security:def:96512	P	ruby2.5-rubygem-railties-5_1-5.1.4-1.27 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:103202	P	ruby2.5-rubygem-railties-5_1-5.1.4-1.27 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:89547	P	ruby2.5-rubygem-railties-5_1-5.1.4-1.27 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:67450	P	Security update for squid (Important)	2020-12-01
oval:org.opensuse.security:def:56342	P	Security update for transfig (Moderate)	2020-12-01
oval:org.opensuse.security:def:56627	P	Security update for libXdmcp (Moderate)	2020-12-01
oval:org.opensuse.security:def:56434	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:55103	P	expat on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64203	P	ruby2.5-rubygem-railties-5_1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56508	P	Security update for gdk-pixbuf (Low)	2020-12-01
oval:org.opensuse.security:def:55504	P	Security update for DirectFB (Important)	2020-12-01
oval:org.opensuse.security:def:64116	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:56234	P	Security update for postgresql96 (Moderate)	2020-12-01
oval:org.opensuse.security:def:55104	P	facter on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56546	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:55677	P	Security update for dhcp (Moderate)	2020-12-01
oval:com.ubuntu.precise:def:20143514000	V	CVE-2014-3514 on Ubuntu 12.04 LTS (precise) - medium.	2014-08-20
oval:com.ubuntu.trusty:def:20143514000	V	CVE-2014-3514 on Ubuntu 14.04 LTS (trusty) - medium.	2014-08-20

BACK