CVE-2020-8164
Advisory lineage Upstream: 0 Downstream: 17
Modified
Published: 19 Jun 2020, 17:04
Last modified:04 Aug 2024, 09:48
Vulnerability Summary
Overall Risk (default)
medium
41/100 CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
7.39% LOW
7% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected
Timeline
19 Jun 2020, 17:04
Published
Vulnerability first disclosed
04 Aug 2024, 09:48
Last Modified
Vulnerability information updated
Description
A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS Trends
Current EPSS score: 7.39%• Percentile: 92%
Techniques & Countermeasures
- CWE-502•Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Affected Systems
- debian•debian_linux
8.0 | 9.0 | 10.0
- opensuse•backports_sle
15.0:sp1
- opensuse•leap
15.1 | 15.2
- rubyonrails•rails
< 5.2.4.3 | ≥ 6.0.0, < 6.0.3.1
References (8)
- https://hackerone.com/reports/292797
- https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY
- https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html
- https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
- https://www.debian.org/security/2020/dsa-4766
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html