CVE-2020-8164

Published: Jun 19, 2020Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.

Affected (8)

Products: Rubyonrails: Rails · Debian: Debian Linux · Opensuse: Backports Sle, Leap

1 product

1 product

2 products

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Rubyonrails Rails	Before 5.2.4.3
Rubyonrails Rails	From 6.0.0 to 6.0.3.1

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

Configuration C

3 vulnerable

Vulnerable Software	Affected Versions
Opensuse Backports Sle	Version 15.0 sp1
Opensuse Leap	Version 15.1
Opensuse Leap	Version 15.2

Related CWEs

CWE-502

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (16)

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html

Source: support@hackerone.com

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html

Source: support@hackerone.com

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html

Source: support@hackerone.com

Mailing ListThird Party Advisory

https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY

Source: support@hackerone.com

PatchThird Party Advisory

https://hackerone.com/reports/292797

Source: support@hackerone.com

ExploitPatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html

Source: support@hackerone.com

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html

Source: support@hackerone.com

Mailing ListThird Party Advisory

https://www.debian.org/security/2020/dsa-4766

Source: support@hackerone.com

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://hackerone.com/reports/292797

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://www.debian.org/security/2020/dsa-4766

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.