CVE-2020-8130
Advisory lineage Upstream: 0 Downstream: 9
Modified
Published: 24 Feb 2020, 14:41
Last modified:04 Aug 2024, 09:48
Vulnerability Summary
Overall Risk (default)
medium
38/100 CVSS Score
6.9 MEDIUM
v2.0 (nvd)
EPSS Score
0.55% LOW
1% probability +0.42%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected
Timeline
24 Feb 2020, 14:41
Published
Vulnerability first disclosed
04 Aug 2024, 09:48
Last Modified
Vulnerability information updated
Description
There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`.
CVSS Metrics
- v3.1•MEDIUM•Score: 6.4CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
- v2.0•MEDIUM•Score: 6.9AV:L/AC:M/Au:N/C:C/I:C/A:C
EPSS Trends
Current EPSS score: 0.55%• Percentile: 68%
Techniques & Countermeasures
- CWE-78•Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Affected Systems
- canonical•ubuntu_linux
16.04 | 18.04 | 19.10
- debian•debian_linux
8.0
- fedoraproject•fedora
30 | 31
- opensuse•leap
15.1
- ruby-lang•rake
< 12.3.3
References (6)
- https://hackerone.com/reports/651518
- https://lists.debian.org/debian-lts-announce/2020/02/msg00026.html
- https://usn.ubuntu.com/4295-1/
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXMX4ARNX2JLRJMSH4N3J3UBMUT5CI44/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/523CLQ62VRN3VVC52KMPTROCCKY4Z36B/