#VU32466 Permissions, Privileges, and Access Controls in Action Mailer - CVE-2014-3514

Cybersecurity Help s.r.o.

Published: 2014-08-20 | Updated: 2020-07-28

Vulnerability identifier: #VU32466

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2014-3514

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Action Mailer
Universal components / Libraries / Programming Languages & Components

Vendor: Rails

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

activerecord/lib/active_record/relation/query_methods.rb in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes create_with calls.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Action Mailer: 4.0.0 - 4.1.4

External links
https://openwall.com/lists/oss-security/2014/08/18/10
https://rhn.redhat.com/errata/RHSA-2014-1102.html
https://secunia.com/advisories/60347
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Permissions, Privileges, and Access Controls in ruby-actionmailer (Alpine package)

Permissions, Privileges, and Access Controls in Rails Action Mailer for Ruby on Rails