Description
A vulnerability exists in versions of Rails prior to 5.0.1 that would allow an attacker who controlled the locals argument of a render call to acheive remote code execution. This vulnerability has been assigned the CVE identifier CVE-2020-8163.
Remediation
Users of Rails 5.0 should upgrade to a version >= 5.0.1. This release is already
available on RubyGems.
Workaround: Until such time as the patch can be applied, application developers should
ensure that all user-provided local names are alphanumeric.
References
Related Vulnerabilities
WordPress Plugin wp heyloyalty Remote Code Execution (1.1.4)
Drupal Core 8.6.x Remote Code Execution (8.6.0 - 8.6.9)
Remote Code Execution (RCE) in Spring Security OAuth
WordPress Plugin Zingiri Web Shop 'ajax_save_name.php' Remote Code Execution (2.2.3)
WordPress Plugin Jekyll Exporter Remote Code Execution (2.2.0)