High severityNVD Advisory· Published Aug 20, 2014· Updated May 6, 2026

CVE-2014-3514

Description

activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
activerecordRubyGems	>= 4.0.0, < 4.0.9	4.0.9
activerecordRubyGems	>= 4.1.0, < 4.1.5	4.1.5

Affected products

Rubyonrails/Rails28 versions
cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*+ 27 more
- cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*
ghsa-coords2 versions
pkg:gem/activerecord pkg:rpm/opensuse/rubygem-railties-4_2&distro=openSUSE%20Tumbleweed
>= 4.0.0, < 4.0.9+ 1 more
- (no CPE)range: >= 4.0.0, < 4.0.9
- (no CPE)range: < 5.0.0.1-1.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-9rf5-jm6f-2fmmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2014-3514ghsaADVISORY
openwall.com/lists/oss-security/2014/08/18/10nvdWEB
rhn.redhat.com/errata/RHSA-2014-1102.htmlnvdWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2014-3514.ymlghsaWEB
groups.google.com/forum/ghsaWEB
groups.google.com/forum/message/rawnvdWEB
secunia.com/advisories/60347nvd

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000