Deserialization Vulnerability in Rails Framework by Ruby on Rails
CVE-2020-8164

7.5HIGH

Key Information:

Vendor

Rubyonrails

Status
Https://github.com/rails/rails
Vendor
CVE Published:
19 June 2020

What is CVE-2020-8164?

A vulnerability exists in the Rails framework that allows an attacker to exploit deserialization of untrusted data. This issue affects versions prior to 5.2.4.3 and 6.0.3.1, leading to potential information leakage through improperly validated Strong Parameters. Keeping your Rails version up to date is crucial to mitigating this risk.

Affected Version(s)

https://github.com/rails/rails 5.2.4.3, 6.0.3.1

References

https://hackerone.com/reports/292797
x_refsource_MISC
https://groups.google.com/g/rubyonrails-security/c/f6ioe4...
x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2020/06/msg0...
mailing-listx_refsource_MLIST

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.