Bug 1131240 (CVE-2014-3514)
Summary: | CVE-2014-3514 rubygem-activerecord: Strong Parameter bypass with create_with | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | high | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | unspecified | CC: | abaron, aortega, apevec, ayoung, bdunne, bkabrda, bkearney, bleanhar, cbillett, ccoleman, chazlett, chrisw, dajohnso, dallan, dclarizi, dmcphers, gkotton, gmccullo, jdetiber, jfrey, jialiu, jkeck, jokerman, jorton, jprause, jrafanie, jrusnack, jstribny, jvlcek, katello-bugs, kseifried, lhh, lmeyer, lpeer, markmc, mastahnke, mburns, mmaslano, mmccomas, mmcgrath, mmorsi, mpovolny, mtasaka, obarenbo, rbryant, rhos-maint, sclewis, sseago, tomckay, vanmeeuwen+fedora, vondruch, xlecauch, yeylon | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | rubygem-activerecord 4.0.9, rubygem-activerecord 4.1.5 | Doc Type: | Bug Fix | ||||||
Doc Text: |
It was discovered that Active Record's create_with method failed to properly check attributes passed to it. A remote attacker could possibly use this flaw to bypass the strong parameter protection and modify arbitrary model attributes via mass assignment if an application using Active Record called create_with with untrusted values.
|
Story Points: | --- | ||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2014-08-27 14:47:37 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 1133530, 1133531, 1133622 | ||||||||
Bug Blocks: | 1131241 | ||||||||
Attachments: |
|
Description
Kurt Seifried
2014-08-18 18:45:17 UTC
Created attachment 928054 [details]
4-0-create_with.patch
Created attachment 928055 [details]
4-1-create_with.patch
Upgraded severity to high as this could allow authentication bypass and privilege escalation. Upstream advisory: https://groups.google.com/forum/#!topic/rubyonrails-security/M4chq5Sb540 Announcement of fixed versions 4.0.9 and 4.1.5: http://weblog.rubyonrails.org/2014/8/18/Rails_4_0_9_and_4_1_5_have_been_released/ Upstream commits (4.0 and 4.1 branches): https://github.com/rails/rails/commit/d4d0018 https://github.com/rails/rails/commit/9456990 Created rubygem-activerecord tracking bugs for this issue: Affects: fedora-20 [bug 1133622] IssueDescription: It was discovered that Active Record's create_with method failed to properly check attributes passed to it. A remote attacker could possibly use this flaw to bypass the strong parameter protection and modify arbitrary model attributes via mass assignment if an application using Active Record called create_with with untrusted values. This issue has been addressed in following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Via RHSA-2014:1102 https://rhn.redhat.com/errata/RHSA-2014-1102.html rubygem-activerecord-4.0.0-5.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |