Main Vulnerability Database Vulnerabilities #VU32466

Permissions, Privileges, and Access Controls in Action Mailer - CVE-2014-3514

Published: August 20, 2014 / Updated: July 28, 2020

Vulnerability identifier: #VU32466

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2014-3514

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Rails

Affected software:
Action Mailer

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.

How to mitigate CVE-2014-3514

Install update from vendor's website.

Sources

http://openwall.com/lists/oss-security/2014/08/18/10
http://rhn.redhat.com/errata/RHSA-2014-1102.html
http://secunia.com/advisories/60347
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ

Permissions, Privileges, and Access Controls in Action Mailer - CVE-2014-3514

Detailed vulnerability description

How to mitigate CVE-2014-3514

Sources

Please verify you're human