OS Command Injection Vulnerability in Ruby Rake by Ruby
CVE-2020-8130

6.4MEDIUM

Key Information:

Vendor

Ruby-lang

Status
Https://github.com/ruby/ruby
Vendor
CVE Published:
24 February 2020

What is CVE-2020-8130?

An OS command injection vulnerability exists in Ruby Rake versions prior to 12.3.3. The issue arises when a filename is supplied that begins with the pipe character |, allowing an attacker to execute arbitrary commands on the host system. This vulnerability can have severe consequences, potentially compromising the integrity and security of the environment, especially when Rake is used in a continuous integration or deployment pipeline. Users are advised to update to the latest version of Rake to mitigate this risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

https://github.com/ruby/ruby Fixed in Rake 12.3.3

References

https://hackerone.com/reports/651518
x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2020/02/msg0...
mailing-listx_refsource_MLIST
https://usn.ubuntu.com/4295-1/
vendor-advisoryx_refsource_UBUNTU

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.