Published: 20/08/2014 Updated: 08/08/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x prior to 4.0.9 and 4.1.x prior to 4.1.5 allows remote malicious users to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.

Affected Products

Vendor Product Versions
RubyonrailsRails4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4

Vendor Advisories

It was discovered that Active Record's create_with method failed to properly check attributes passed to it A remote attacker could possibly use this flaw to bypass the strong parameter protection and modify arbitrary model attributes via mass assignment if an application using Active Record called create_with with untrusted values ...

Github Repositories

Can I hack database The database powering "can I hack" Contribute Fork the repository Do your thing Send a pull request and bug me until I merge it! Format { "name": "Ruby on Rails", "versions": [ "420beta2", "420beta1", "416", "416rc2", "416rc1", "415&quo