6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.009 Low
EPSS
Percentile
82.5%
In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1.
The 1.2.1 gem including the patch has already been released.
All past released versions are affected by this vulnerability.
Application developers who can’t update the gem can workaround by overriding the PARAM_KEY_EXCEPT_LIST
constant.
module Kaminari::Helpers
PARAM_KEY_EXCEPT_LIST = [:authenticity_token, :commit, :utf8, :_method, :script_name, :original_script_name].freeze
end
Thanks to Daniel Mircea for finding the issue and sending a patch via GitHub. Also thanks to Aditya Prakash for reporting the vulnerability.
github.com/github/advisory-review/pull/1020
github.com/kaminari/kaminari
github.com/kaminari/kaminari/commit/8dd52a1aed3d2fa2835d836de23fc0d8c4ff5db8
github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433
github.com/rubysec/ruby-advisory-db/blob/master/gems/kaminari/CVE-2020-11082.yml
lists.debian.org/debian-lts-announce/2021/09/msg00011.html
nvd.nist.gov/vuln/detail/CVE-2020-11082
www.debian.org/security/2021/dsa-5005
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.009 Low
EPSS
Percentile
82.5%