Plattform
ruby
Komponente
activerecord
Behoben in
4.0.9
CVE-2014-3514 is a high-severity vulnerability affecting Ruby on Rails applications. It allows remote attackers to bypass the strong parameters protection mechanism, potentially leading to unauthorized data modification or manipulation. This vulnerability impacts versions of Ruby on Rails 4.0.x prior to 4.0.9 and 4.1.x before 4.1.5. A fix is available in versions 4.0.9 and 4.1.5.
The core of this vulnerability lies in how ActiveRecord handles create_with calls. Strong parameters are designed to prevent attackers from injecting malicious data into database operations. However, CVE-2014-3514 circumvents this protection, allowing an attacker to craft input that bypasses the validation rules. This could lead to the creation or modification of database records with unintended or malicious data. The potential impact ranges from data corruption and unauthorized access to complete compromise of the application, depending on the data being manipulated and the application's overall security posture. Successful exploitation could allow an attacker to inject arbitrary data into the database, potentially leading to privilege escalation or other malicious actions.
CVE-2014-3514 was publicly disclosed in 2017. While no active exploitation campaigns have been definitively linked to this specific CVE, the bypass of strong parameters is a critical security flaw. Public proof-of-concept exploits are available, demonstrating the vulnerability's feasibility. This CVE is not currently listed on CISA KEV. The NVD entry was published on 2017-10-24.
Applications using Ruby on Rails versions 4.0.x before 4.0.9 and 4.1.x before 4.1.5 are at risk. This includes legacy applications that haven't been updated recently, as well as applications that rely heavily on user-supplied data for database operations. Shared hosting environments running vulnerable Rails versions are also particularly vulnerable.
• ruby / server:
grep -r 'create_with' /path/to/rails/app/models/• ruby / server:
bundle audit activerecord• ruby / server:
bundle list | grep activerecorddiscovery
disclosure
patch
kev
Exploit-Status
EPSS
0.33% (56% Perzentil)
The primary mitigation for CVE-2014-3514 is to upgrade to a patched version of Ruby on Rails. Upgrade to Rails 4.0.9 or later to eliminate this vulnerability. If upgrading is not immediately feasible, consider implementing stricter input validation on the application side to supplement the strong parameters protection. While not a complete solution, this can reduce the attack surface. Review and audit all create_with calls to ensure they are properly validated and sanitized. After upgrading, confirm the fix by attempting to reproduce the vulnerability with crafted input; the strong parameters should now correctly prevent the bypass.
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2014-3514 is a high-severity vulnerability in Ruby on Rails ActiveRecord that allows attackers to bypass strong parameters, potentially manipulating data.
You are affected if you are using Ruby on Rails versions 4.0.x before 4.0.9 or 4.1.x before 4.1.5. Check your application's version immediately.
Upgrade to Ruby on Rails version 4.0.9 or 4.1.5. Implement stricter input validation as a temporary mitigation if upgrading is not immediately possible.
While no widespread campaigns are confirmed, public exploits exist, and the vulnerability is considered a potential risk.
Refer to the official Ruby on Rails security advisories: https://github.com/rails/rails/security/advisories
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Gemfile.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.