Plateforme
ruby
Composant
activerecord
Corrigé dans
4.0.9
CVE-2014-3514 is a high-severity vulnerability affecting Ruby on Rails applications. It allows remote attackers to bypass the strong parameters protection mechanism, potentially leading to unauthorized data modification or manipulation. This vulnerability impacts versions of Ruby on Rails 4.0.x prior to 4.0.9 and 4.1.x before 4.1.5. A fix is available in versions 4.0.9 and 4.1.5.
The core of this vulnerability lies in the activerecord/lib/activerecord/relation/querymethods.rb file within Active Record. Attackers can exploit this by crafting malicious input that circumvents the intended strong parameters protection. Strong parameters are designed to prevent mass assignment vulnerabilities, where an attacker could modify arbitrary attributes of a model. By bypassing this protection, an attacker could potentially create, update, or delete records with unauthorized data, leading to data corruption, privilege escalation, or even complete control over the application's data. The impact is particularly severe in applications that rely heavily on user-supplied data for creating or updating records.
CVE-2014-3514 was publicly disclosed in 2017. While no widespread exploitation campaigns have been definitively linked to this specific CVE, the bypass of strong parameters is a common attack vector. Public proof-of-concept exploits are available, demonstrating the vulnerability's feasibility. This CVE was added to the CISA KEV catalog, indicating a potential risk to federal information systems.
Applications using Ruby on Rails versions 4.0.x before 4.0.9 and 4.1.x before 4.1.5 are at risk. This includes legacy applications that haven't been updated recently, as well as applications that rely heavily on user-supplied data for database operations. Shared hosting environments running vulnerable Rails versions are also particularly vulnerable.
• ruby / server:
grep -r 'create_with' /path/to/rails/app/models/• ruby / server:
bundle audit activerecord• ruby / server:
bundle list | grep activerecorddiscovery
disclosure
patch
kev
Statut de l'Exploit
EPSS
0.33% (percentile 56%)
The primary mitigation for CVE-2014-3514 is to upgrade to a patched version of Ruby on Rails, specifically 4.0.9 or 4.1.5. If upgrading immediately is not feasible, consider implementing stricter input validation and sanitization on the server-side to prevent malicious data from reaching the database. While not a complete solution, this can reduce the attack surface. Review and strengthen your application's strong parameters configuration to ensure that only expected attributes are allowed. Consider using a Web Application Firewall (WAF) with rules to detect and block requests containing suspicious parameters. After upgrading, verify the fix by attempting to create or update records with crafted input that previously triggered the vulnerability.
Aucun correctif officiel disponible. Recherchez des alternatives ou surveillez les mises à jour.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2014-3514 is a high-severity vulnerability in Ruby on Rails ActiveRecord that allows attackers to bypass strong parameters, potentially manipulating data.
You are affected if you are using Ruby on Rails versions 4.0.x before 4.0.9 or 4.1.x before 4.1.5. Check your application's version immediately.
Upgrade to Ruby on Rails version 4.0.9 or 4.1.5. Implement stricter input validation as a temporary mitigation if upgrading is not immediately possible.
While no widespread campaigns are confirmed, public exploits exist, and the vulnerability is considered a potential risk.
Refer to the official Ruby on Rails security advisories: https://github.com/rails/rails/security/advisories
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier Gemfile.lock et nous te dirons instantanément si tu es affecté.