Description

A vulnerability exists in versions of Rails prior to 5.0.1 that would allow an attacker who controlled the locals argument of a render call to acheive remote code execution. This vulnerability has been assigned the CVE identifier CVE-2020-8163.

Remediation

Users of Rails 5.0 should upgrade to a version >= 5.0.1. This release is already available on RubyGems.

Workaround: Until such time as the patch can be applied, application developers should ensure that all user-provided local names are alphanumeric.

References

[CVE-2020-8163] Potential remote code execution of user-provided local names in Rails < 5.0.1

Related Vulnerabilities

Apache Log4j2 JNDI Remote Code Execution (per folder)

Spring Data REST RCE via PATCH requests

Apache Struts2 Remote Command Execution (S2-052)

TimThumb WebShot remote code execution

TinyMCE ajax_create_folder remote code execution vulnerability

Severity

High

Classification

CVE-2020-8163 CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Code Execution Acumonitor