CVE-2020-8163

Advisory lineage Upstream: 0 Downstream: 4

Downstream

DEBIAN-CVE-2020-8163 DLA-2282-1 SUSE-SU-2020:2140-1 UBUNTU-CVE-2020-8163

Modified

Published: 02 Jul 2020, 18:35

Last modified:04 Aug 2024, 09:48

Vulnerability Summary

Overall Risk (default)

high

63/100

CVSS Score

8.8 HIGH

v3.1 (nvd)

EPSS Score

91.07% CRITICAL

91% probability +0.14%

KEV

Not listed

Ransomware

No reports

Public exploits

2 found

Dark Web

Not detected

Timeline

02 Jul 2020, 18:35

Published

Vulnerability first disclosed

04 Aug 2024, 09:48

Last Modified

Vulnerability information updated

Description

The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.

CVSS Metrics

v3.1•HIGH•Score: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
v2.0•MEDIUM•Score: 6.5AV:N/AC:L/Au:S/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 91.07%• Percentile: 100%

Techniques & Countermeasures

CWE-94•Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Affected Systems

debian•debian_linux
9.0
rubyonrails•rails
< 5.0.1