BIT-rails-2020-8163

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/rails/BIT-rails-2020-8163.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-rails-2020-8163

Aliases

CVE-2020-8163
GHSA-cr3x-7m39-c6jq

Published

2024-03-06T11:04:18.694Z

Modified

2024-03-06T11:25:28.861Z

Summary

[none]

Details

The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the locals argument of a render call to perform a RCE.

Database specific

{
    "cpes": [
        "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*"
    ],
    "severity": "High"
}

References

http://packetstormsecurity.com/files/158604/Ruby-On-Rails-5.0.1-Remote-Code-Execution.html
https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0
https://hackerone.com/reports/304805
https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html

Affected packages

Bitnami / rails

Package

Name: rails
Purl: pkg:bitnami/rails

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.0.1