9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.725 High
EPSS
Percentile
98.0%
Package : rails
Version : 2:4.1.8-1+deb8u7
CVE ID : CVE-2020-8164 CVE-2020-8165
Two vulnerabilities were found in Ruby on Rails, a MVC ruby-based
framework geared for web application development, which could lead to
remote code execution and untrusted user input usage, depending on the
application.
CVE-2020-8164
Strong parameters bypass vector in ActionPack. In some cases user
supplied information can be inadvertently leaked from Strong
Parameters. Specifically the return value of `each`, or
`each_value`, or `each_pair` will return the underlying
"untrusted" hash of data that was read from the parameters.
Applications that use this return value may be inadvertently use
untrusted user input.
CVE-2020-8165
Potentially unintended unmarshalling of user-provided objects in
MemCacheStore. There is potentially unexpected behaviour in the
MemCacheStore where, when untrusted user input is written to the
cache store using the `raw: true` parameter, re-reading the result
from the cache can evaluate the user input as a Marshalled object
instead of plain text. Unmarshalling of untrusted user input can
have impact up to and including RCE. At a minimum, this
vulnerability allows an attacker to inject untrusted Ruby objects
into a web application.
In addition to upgrading to the latest versions of Rails,
developers should ensure that whenever they are calling
`Rails.cache.fetch` they are using consistent values of the `raw`
parameter for both reading and writing.
For Debian 8 "Jessie", these problems have been fixed in version
2:4.1.8-1+deb8u7.
We recommend that you upgrade your rails packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 9 | all | ruby-activejob | < 2:4.2.7.1-1+deb9u3 | ruby-activejob_2:4.2.7.1-1+deb9u3_all.deb |
Debian | 9 | all | ruby-activemodel | < 2:4.2.7.1-1+deb9u3 | ruby-activemodel_2:4.2.7.1-1+deb9u3_all.deb |
Debian | 9 | all | ruby-activesupport | < 2:4.2.7.1-1+deb9u3 | ruby-activesupport_2:4.2.7.1-1+deb9u3_all.deb |
Debian | 10 | all | ruby-railties | < 2:5.2.2.1+dfsg-1+deb10u2 | ruby-railties_2:5.2.2.1+dfsg-1+deb10u2_all.deb |
Debian | 8 | all | ruby-railties | < 2:4.1.8-1+deb8u7 | ruby-railties_2:4.1.8-1+deb8u7_all.deb |
Debian | 8 | all | ruby-activesupport-2.3 | < 2:4.1.8-1+deb8u7 | ruby-activesupport-2.3_2:4.1.8-1+deb8u7_all.deb |
Debian | 8 | all | ruby-actionview | < 2:4.1.8-1+deb8u7 | ruby-actionview_2:4.1.8-1+deb8u7_all.deb |
Debian | 9 | all | rails | < 2:4.2.7.1-1+deb9u3 | rails_2:4.2.7.1-1+deb9u3_all.deb |
Debian | 10 | all | ruby-activemodel | < 2:5.2.2.1+dfsg-1+deb10u2 | ruby-activemodel_2:5.2.2.1+dfsg-1+deb10u2_all.deb |
Debian | 10 | all | ruby-activejob | < 2:5.2.2.1+dfsg-1+deb10u2 | ruby-activejob_2:5.2.2.1+dfsg-1+deb10u2_all.deb |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.725 High
EPSS
Percentile
98.0%