rails Critical
Attribute Restriction
Discovered over 5 years ago
Published about 6 years ago
Category: Attribute Restriction
Source: NIST NVD
Severity: Critical

The create_with functionality in Active Record was implemented incorrectly and completely bypasses the strong parameters protection. Applications which pass user-controlled values to create_with could allow attackers to set arbitrary attributes on models.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None Partial Partial Partial
Patched Versions

~> 4.0.9 >= 4.1.5

Unaffected Versions

< 4.0.0