CVE-2020-8159

There is a vulnerability in actionpack_page-caching gem < v1.2.1 that allows an attacker to write arbitrary files to a web server, potentially resulting in remote code execution if the attacker can write unescaped ERB to a view.
References
Link Resource
https://groups.google.com/forum/#!topic/rubyonrails-security/CFRVkEytdP8 Exploit Mailing List Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/07/msg00019.html Mailing List Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:rubyonrails:actionpack_page-caching:*:*:*:*:*:ruby:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

History

05 Apr 2022, 15:02

Type Values Removed Values Added
First Time Debian
Debian debian Linux
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2021/07/msg00019.html - Mailing List, Third Party Advisory
CPE cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Information

Published : 2020-05-12 13:15

Updated : 2022-04-05 15:02


NVD link : CVE-2020-8159

Mitre link : CVE-2020-8159


JSON object : View

Products Affected

rubyonrails

  • actionpack_page-caching

debian

  • debian_linux
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')