OS Command Injection Vulnerability in Ruby Rake by Ruby
CVE-2020-8130

6.4MEDIUM

Key Information:

Vendor: Ruby-lang
Status: Https://github.com/ruby/ruby
Vendor: CVE Published:; 24 February 2020

What is CVE-2020-8130?

An OS command injection vulnerability exists in Ruby Rake versions prior to 12.3.3. The issue arises when a filename is supplied that begins with the pipe character |, allowing an attacker to execute arbitrary commands on the host system. This vulnerability can have severe consequences, potentially compromising the integrity and security of the environment, especially when Rake is used in a continuous integration or deployment pipeline. Users are advised to update to the latest version of Rake to mitigate this risk.

Affected Version(s)

https://github.com/ruby/ruby Fixed in Rake 12.3.3

References

https://hackerone.com/reports/651518

x_refsource_MISC

https://lists.debian.org/debian-lts-announce/2020/02/msg0...

mailing-listx_refsource_MLIST

https://usn.ubuntu.com/4295-1/

vendor-advisoryx_refsource_UBUNTU

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 24, 2020
Vulnerability Reserved
Jan 28, 2020

Ruby-lang

What is CVE-2020-8130?

Affected Version(s)

References

CVSS V3.1

Timeline