There is a vulnerability in the create_with method in Active Record. This vulnerability has been assigned the CVE identifier CVE-2014-3514.
Versions Affected: 4.0.0 and All Later Versions.
Not affected: Versions earlier than 4.0.0
Fixed Versions: 4.0.9 4.1.5
The create_with functionality in Active Record was implemented incorrectly and completely bypasses the strong parameters protection. Applications which pass user-controlled values to create_with could allow attackers to set arbitrary attributes on models.
All users running an affected release should either upgrade or use one of the workarounds immediately.
The 4.0.9 and 4.1.5 releases are available at the normal locations.
To avoid this vulnerability you will have to either remove all calls to create_with, or carefully audit your codebase to ensure it sanitizes the input first. For example you should replace code like this:
user.blog_posts.create_with(params[:blog_post].permit(:title, :body, :etc)).create
Rails 4.0.9 and 4.1.5 are now available in the tree.
Are you ready to stabilize now, or do you need some time for testing?
(In reply to Yury German from comment #2)
> Are you ready to stabilize now, or do you need some time for testing?
No stable version(s). We don't need to stabilize.
activerecord/lib/active_record/relation/query_methods.rb in Active Record in
Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote
attackers to bypass the strong parameters protection mechanism via crafted
input to an application that makes create_with calls.
Maintainer(s), Thank you for cleanup!
No GLSA needed as there are no stable versions.