GHSA-jppv-gw3r-w3q8

Source

https://github.com/advisories/GHSA-jppv-gw3r-w3q8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-jppv-gw3r-w3q8/GHSA-jppv-gw3r-w3q8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jppv-gw3r-w3q8

Aliases

CVE-2020-8130

Published

2020-02-28T16:54:36Z

Modified

2024-02-19T05:32:17.994147Z

Severity

6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

OS Command Injection in Rake

Details

There is an OS command injection vulnerability in Ruby Rake before 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character |.

Database specific

{
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-78"
    ],
    "nvd_published_at": null,
    "github_reviewed_at": "2020-02-25T15:50:03Z"
}

References

Affected packages

RubyGems / rake

Package

Name: rake
Purl: pkg:gem/rake

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

12.3.3

Affected versions

0.*

0.4.8

0.4.9

0.4.10

0.4.11

0.4.12

0.4.13

0.4.14

0.4.15

0.5.0

0.5.3

0.5.4

0.6.0

0.6.2

0.7.0

0.7.1

0.7.2

0.7.3

0.8.0

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.8.6

0.8.7

0.9.0.beta.0

0.9.0.beta.1

0.9.0.beta.2

0.9.0.beta.4

0.9.0.beta.5

0.9.0

0.9.1

0.9.2

0.9.2.2

0.9.3.beta.1

0.9.3.beta.2

0.9.3.beta.3

0.9.3.beta.4

0.9.3

0.9.4

0.9.5

0.9.6

10.*

10.0.0.beta.1

10.0.0.beta.2

10.0.0

10.0.1

10.0.2

10.0.3

10.0.4

10.1.0.beta.1

10.1.0.beta.2

10.1.0.beta.3

10.1.0

10.1.1

10.2.0

10.2.1

10.2.2

10.3.0

10.3.1

10.3.2

10.4.0

10.4.1

10.4.2

10.5.0

11.*

11.0.1

11.1.0

11.1.1

11.1.2

11.2.0

11.2.2

11.3.0

12.*

12.0.0.beta1

12.0.0

12.1.0

12.2.0

12.2.1

12.3.0

12.3.1

12.3.2

Database specific

last_known_affected_version_range

"<= 12.3.2"