Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2020-8163

UNKNOWN
Published 2020-07-02T18:35:12
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2020-8163. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.

Available Exploits

Ruby on Rails <5.0.1 - Remote Code Execution

Ruby on Rails before version 5.0.1 is susceptible to remote code execution because it passes user parameters as local variables into partials.

ID: CVE-2020-8163
Author: tim_koopmans High

References:

Related News

No news articles found for this CVE.

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

Remote code execution via user-provided local names in ActionView

GHSA-cr3x-7m39-c6jq

Advisory Details

The is a code injection vulnerability in versions of Rails prior to 5.0.1 that would allow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.

Affected Packages

RubyGems actionview
ECOSYSTEM: ≥0 <4.2.11.3

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2020-8163
WEB https://hackerone.com/reports/304805
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-8163.yml
WEB https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0
WEB https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0
WEB https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
WEB http://packetstormsecurity.com/files/158604/Ruby-On-Rails-5.0.1-Remote-Code-Execution.html

Advisory provided by GitHub Security Advisory Database. Published: July 7, 2020, Modified: July 5, 2023

References

https://hackerone.com/reports/304805
https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0
https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
http://packetstormsecurity.com/files/158604/Ruby-On-Rails-5.0.1-Remote-Code-Execution.html
Published: 2020-07-02T18:35:12
Last Modified: 2024-08-04T09:48:25.683Z
Copied to clipboard!