Medium: rubygem-rake

2020-06-2306:05:00

alas.aws.amazon.com

6.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

6.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

35.6%

JSON

Issue Overview:

There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character |. (CVE-2020-8130)

Affected Packages:

rubygem-rake

Issue Correction:
Run yum update rubygem-rake to update your system.

New Packages:

noarch:  
    rubygem21-rake-doc-10.4.2-1.48.amzn1.noarch  
    rubygem20-rake-10.4.2-1.48.amzn1.noarch  
    rubygem23-rake-10.4.2-1.48.amzn1.noarch  
    rubygem21-rake-10.4.2-1.48.amzn1.noarch  
    rubygem22-rake-doc-10.4.2-1.48.amzn1.noarch  
    rubygem23-rake-doc-10.4.2-1.48.amzn1.noarch  
    rubygem22-rake-10.4.2-1.48.amzn1.noarch  
    rubygem20-rake-doc-10.4.2-1.48.amzn1.noarch  
  
src:  
    rubygem-rake-10.4.2-1.48.amzn1.src

Additional References

Red Hat: CVE-2020-8130

Mitre: CVE-2020-8130

OSVersionArchitecturePackageVersionFilename
Amazon Linux1noarchrubygem21-rake-doc< 10.4.2-1.48.amzn1rubygem21-rake-doc-10.4.2-1.48.amzn1.noarch.rpm
Amazon Linux1noarchrubygem20-rake< 10.4.2-1.48.amzn1rubygem20-rake-10.4.2-1.48.amzn1.noarch.rpm
Amazon Linux1noarchrubygem23-rake< 10.4.2-1.48.amzn1rubygem23-rake-10.4.2-1.48.amzn1.noarch.rpm
Amazon Linux1noarchrubygem21-rake< 10.4.2-1.48.amzn1rubygem21-rake-10.4.2-1.48.amzn1.noarch.rpm
Amazon Linux1noarchrubygem22-rake-doc< 10.4.2-1.48.amzn1rubygem22-rake-doc-10.4.2-1.48.amzn1.noarch.rpm
Amazon Linux1noarchrubygem23-rake-doc< 10.4.2-1.48.amzn1rubygem23-rake-doc-10.4.2-1.48.amzn1.noarch.rpm
Amazon Linux1noarchrubygem22-rake< 10.4.2-1.48.amzn1rubygem22-rake-10.4.2-1.48.amzn1.noarch.rpm
Amazon Linux1noarchrubygem20-rake-doc< 10.4.2-1.48.amzn1rubygem20-rake-doc-10.4.2-1.48.amzn1.noarch.rpm

OS	Version	Architecture	Package	Version	Filename
Amazon Linux	1	noarch	rubygem21-rake-doc	< 10.4.2-1.48.amzn1	rubygem21-rake-doc-10.4.2-1.48.amzn1.noarch.rpm
Amazon Linux	1	noarch	rubygem20-rake	< 10.4.2-1.48.amzn1	rubygem20-rake-10.4.2-1.48.amzn1.noarch.rpm
Amazon Linux	1	noarch	rubygem23-rake	< 10.4.2-1.48.amzn1	rubygem23-rake-10.4.2-1.48.amzn1.noarch.rpm
Amazon Linux	1	noarch	rubygem21-rake	< 10.4.2-1.48.amzn1	rubygem21-rake-10.4.2-1.48.amzn1.noarch.rpm
Amazon Linux	1	noarch	rubygem22-rake-doc	< 10.4.2-1.48.amzn1	rubygem22-rake-doc-10.4.2-1.48.amzn1.noarch.rpm
Amazon Linux	1	noarch	rubygem23-rake-doc	< 10.4.2-1.48.amzn1	rubygem23-rake-doc-10.4.2-1.48.amzn1.noarch.rpm
Amazon Linux	1	noarch	rubygem22-rake	< 10.4.2-1.48.amzn1	rubygem22-rake-10.4.2-1.48.amzn1.noarch.rpm
Amazon Linux	1	noarch	rubygem20-rake-doc	< 10.4.2-1.48.amzn1	rubygem20-rake-doc-10.4.2-1.48.amzn1.noarch.rpm