CVE-2020-8130

Published: Feb 24, 2020Modified: Nov 21, 2024

6.4

Vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 0.5 / Impact: 5.9

Source: NVD

Description

There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`.

Affected (8)

Products: Ruby Lang: Rake · Canonical: Ubuntu Linux · Debian: Debian Linux · +2 more

Show all products

Ruby Lang: Rake · Canonical: Ubuntu Linux · Debian: Debian Linux · Fedoraproject: Fedora · Opensuse: Leap

1 product

1 product

1 product

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Ruby Lang Rake	Before 12.3.3

Configuration B

7 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 18.04
Canonical Ubuntu Linux	Version 19.10
Debian Debian Linux	Version 8.0
Fedoraproject Fedora	Version 30
Fedoraproject Fedora	Version 31
Opensuse Leap	Version 15.1

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (12)

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html

Source: support@hackerone.com

Mailing ListThird Party Advisory

https://hackerone.com/reports/651518

Source: support@hackerone.com

ExploitPatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2020/02/msg00026.html

Source: support@hackerone.com

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/523CLQ62VRN3VVC52KMPTROCCKY4Z36B/

Source: support@hackerone.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXMX4ARNX2JLRJMSH4N3J3UBMUT5CI44/

Source: support@hackerone.com

https://usn.ubuntu.com/4295-1/

Source: support@hackerone.com

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://hackerone.com/reports/651518

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2020/02/msg00026.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/523CLQ62VRN3VVC52KMPTROCCKY4Z36B/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXMX4ARNX2JLRJMSH4N3J3UBMUT5CI44/

Source: af854a3a-2127-422b-91ae-364da2661108

https://usn.ubuntu.com/4295-1/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.