Vulnerability-Lookup

CVE-2020-8164 (GCVE-0-2020-8164)

Vulnerability from cvelistv5 – Published: 2020-06-19 17:04 – Updated: 2024-08-04 09:48

Summary

A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.

Severity ?

No CVSS data available.

CWE

CWE-502 - Deserialization of Untrusted Data (CWE-502)

Assigner

hackerone

References

8 references

URL	Tags
https://hackerone.com/reports/292797	x_refsource_MISC
https://groups.google.com/g/rubyonrails-security/…	x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2020…	mailing-listx_refsource_MLIST
https://lists.debian.org/debian-lts-announce/2020…	mailing-listx_refsource_MLIST
https://www.debian.org/security/2020/dsa-4766	vendor-advisoryx_refsource_DEBIAN
http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE

Impacted products

1 product

Vendor	Product	Version
n/a	https://github.com/rails/rails	Affected: 5.2.4.3, 6.0.3.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T09:48:25.653Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/292797"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY"
          },
          {
            "name": "[debian-lts-announce] 20200619 [SECURITY] [DLA 2251-1] rails security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html"
          },
          {
            "name": "[debian-lts-announce] 20200720 [SECURITY] [DLA 2282-1] rails security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html"
          },
          {
            "name": "DSA-4766",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4766"
          },
          {
            "name": "openSUSE-SU-2020:1533",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html"
          },
          {
            "name": "openSUSE-SU-2020:1536",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html"
          },
          {
            "name": "openSUSE-SU-2020:1575",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "https://github.com/rails/rails",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "5.2.4.3, 6.0.3.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A deserialization of untrusted data vulnerability exists in rails \u003c 5.2.4.3, rails \u003c 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "Deserialization of Untrusted Data (CWE-502)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-09-29T14:06:08.000Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/292797"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY"
        },
        {
          "name": "[debian-lts-announce] 20200619 [SECURITY] [DLA 2251-1] rails security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html"
        },
        {
          "name": "[debian-lts-announce] 20200720 [SECURITY] [DLA 2282-1] rails security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html"
        },
        {
          "name": "DSA-4766",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4766"
        },
        {
          "name": "openSUSE-SU-2020:1533",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html"
        },
        {
          "name": "openSUSE-SU-2020:1536",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html"
        },
        {
          "name": "openSUSE-SU-2020:1575",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "ID": "CVE-2020-8164",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "https://github.com/rails/rails",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "5.2.4.3, 6.0.3.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A deserialization of untrusted data vulnerability exists in rails \u003c 5.2.4.3, rails \u003c 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Deserialization of Untrusted Data (CWE-502)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://hackerone.com/reports/292797",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/292797"
            },
            {
              "name": "https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY",
              "refsource": "MISC",
              "url": "https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY"
            },
            {
              "name": "[debian-lts-announce] 20200619 [SECURITY] [DLA 2251-1] rails security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html"
            },
            {
              "name": "[debian-lts-announce] 20200720 [SECURITY] [DLA 2282-1] rails security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html"
            },
            {
              "name": "DSA-4766",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2020/dsa-4766"
            },
            {
              "name": "openSUSE-SU-2020:1533",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html"
            },
            {
              "name": "openSUSE-SU-2020:1536",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html"
            },
            {
              "name": "openSUSE-SU-2020:1575",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2020-8164",
    "datePublished": "2020-06-19T17:04:13.000Z",
    "dateReserved": "2020-01-28T00:00:00.000Z",
    "dateUpdated": "2024-08-04T09:48:25.653Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2020-8164",
      "date": "2026-05-20",
      "epss": "0.07389",
      "percentile": "0.91806"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"5.2.4.3\", \"matchCriteriaId\": \"4357891D-A07C-4E1B-B540-92D6C477E7BB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.0.0\", \"versionEndExcluding\": \"6.0.3.1\", \"matchCriteriaId\": \"12B5617A-91AC-4B94-BE1A-057DBF322808\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DEECE5FC-CACF-4496-A3E7-164736409252\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*\", \"matchCriteriaId\": \"40513095-7E6E-46B3-B604-C926F1BA3568\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B620311B-34A3-48A6-82DF-6F078D7A4493\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B009C22E-30A4-4288-BCF6-C3E81DEAF45A\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A deserialization of untrusted data vulnerability exists in rails \u003c 5.2.4.3, rails \u003c 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.\"}, {\"lang\": \"es\", \"value\": \"Se presenta una vulnerabilidad de deserializaci\\u00f3n de datos no confiables en rails versiones anteriores a 5.2.4.3, rails versiones anteriores a 6.0.3.1, que pueden permitir a un atacante suministrar informaci\\u00f3n en la que pueden ser filtrados inadvertidamente par\\u00e1metros fromStrong\"}]",
      "id": "CVE-2020-8164",
      "lastModified": "2024-11-21T05:38:25.023",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-06-19T17:15:18.677",
      "references": "[{\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html\", \"source\": \"support@hackerone.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html\", \"source\": \"support@hackerone.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html\", \"source\": \"support@hackerone.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY\", \"source\": \"support@hackerone.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://hackerone.com/reports/292797\", \"source\": \"support@hackerone.com\", \"tags\": [\"Exploit\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html\", \"source\": \"support@hackerone.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html\", \"source\": \"support@hackerone.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2020/dsa-4766\", \"source\": \"support@hackerone.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://hackerone.com/reports/292797\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2020/dsa-4766\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "support@hackerone.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"support@hackerone.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-8164\",\"sourceIdentifier\":\"support@hackerone.com\",\"published\":\"2020-06-19T17:15:18.677\",\"lastModified\":\"2024-11-21T05:38:25.023\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A deserialization of untrusted data vulnerability exists in rails \u003c 5.2.4.3, rails \u003c 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.\"},{\"lang\":\"es\",\"value\":\"Se presenta una vulnerabilidad de deserializaci\u00f3n de datos no confiables en rails versiones anteriores a 5.2.4.3, rails versiones anteriores a 6.0.3.1, que pueden permitir a un atacante suministrar informaci\u00f3n en la que pueden ser filtrados inadvertidamente par\u00e1metros fromStrong\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"support@hackerone.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.2.4.3\",\"matchCriteriaId\":\"4357891D-A07C-4E1B-B540-92D6C477E7BB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.0.0\",\"versionEndExcluding\":\"6.0.3.1\",\"matchCriteriaId\":\"12B5617A-91AC-4B94-BE1A-057DBF322808\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*\",\"matchCriteriaId\":\"40513095-7E6E-46B3-B604-C926F1BA3568\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B620311B-34A3-48A6-82DF-6F078D7A4493\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B009C22E-30A4-4288-BCF6-C3E81DEAF45A\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html\",\"source\":\"support@hackerone.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html\",\"source\":\"support@hackerone.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html\",\"source\":\"support@hackerone.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY\",\"source\":\"support@hackerone.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://hackerone.com/reports/292797\",\"source\":\"support@hackerone.com\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html\",\"source\":\"support@hackerone.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html\",\"source\":\"support@hackerone.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2020/dsa-4766\",\"source\":\"support@hackerone.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://hackerone.com/reports/292797\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2020/dsa-4766\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

CERTFR-2020-AVI-301

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans Ruby on Rails. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, un contournement de la politique de sécurité et une injection de requêtes illégitimes par rebond (CSRF).

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Ruby on Rails	Ruby on Rails	Ruby on Rails versions 6.x antérieures à 6.0.3.1
	Ruby on Rails	Ruby on Rails	Ruby on Rails versions 5.x antérieures à 5.2.4.3

References

Title

Publication Time

CERTFR-2020-AVI-301

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Ruby on Rails	Ruby on Rails	Ruby on Rails versions 6.x antérieures à 6.0.3.1
	Ruby on Rails	Ruby on Rails	Ruby on Rails versions 5.x antérieures à 5.2.4.3

References

Title

Publication Time

BDU:2021-01346

Vulnerability from fstec - Published: 19.06.2020

Title

Уязвимость функции each_pair из strong_parameters.rb программной платформы Ruby on Rails, позволяющая нарушителю получить доступ к конфиденциальным данным

Description

Уязвимость функции each_pair из strong_parameters.rb программной платформы Ruby on Rails связана с восстановлением в памяти недостоверной структуры данных. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, получить доступ к конфиденциальным данным

Severity ?


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Vendor

Сообщество свободного программного обеспечения, ООО «РусБИТех-Астра», Rails Core Team, ООО «Ред Софт», АО «Концерн ВНИИНС»

Software Name

Debian GNU/Linux, Astra Linux Special Edition (запись в едином реестре российских программ №369), Astra Linux Common Edition (запись в едином реестре российских программ №4433), Astra Linux Special Edition для «Эльбрус» (запись в едином реестре российских программ №11156), Ruby on Rails, РЕД ОС (запись в едином реестре российских программ №3751), ОС ОН «Стрелец» (запись в едином реестре российских программ №6177)

Software Version

9 (Debian GNU/Linux), 1.6 «Смоленск» (Astra Linux Special Edition), 2.12 «Орёл» (Astra Linux Common Edition), 8 (Debian GNU/Linux), 10 (Debian GNU/Linux), 8.1 «Ленинград» (Astra Linux Special Edition для «Эльбрус»), до 5.2.4.3 (Ruby on Rails), от 6.0.0 до 6.0.3.1 (Ruby on Rails), 7.3 (РЕД ОС), до 16.01.2023 (ОС ОН «Стрелец»)

Possible Mitigations

Использование рекомендаций: Для rails: Обновление программного обеспечения до 5.0.1 или более поздней версии Для Debian: Обновление программного обеспечения (пакета rails) до 2:4.2.7.1-1+deb9u3 или более поздней версии Для Astra Linux: Обновление программного обеспечения (пакета rails) до 2:4.2.7.1-1+deb9u3 или более поздней версии Или использование рекомендаций производителя: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20210730SE16 https://wiki.astralinux.ru/astra-linux-se81-bulletin-20211019SE81 Для ОС ОН «Стрелец»: Обновление программного обеспечения rails до версии 2:4.2.7.1-1+deb9u5 Для РЕД ОС: https://redos.red-soft.ru/support/secure/uyazvimosti/mnozhestvennye-uyazvimosti-rubygem-actionpack-cve-2020-8164-cve-2020-8185-cve-2020-8166/?sphrase_id=1074132

Reference

https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY https://hackerone.com/reports/292797 https://nvd.nist.gov/vuln/detail/CVE-2020-8164 https://security-tracker.debian.org/tracker/CVE-2020-8164 https://wiki.astralinux.ru/astra-linux-se16-bulletin-20210611SE16 https://wiki.astralinux.ru/astra-linux-se81-bulletin-20211019SE81 https://strelets.net/patchi-i-obnovleniya-bezopasnosti#16012023\ https://redos.red-soft.ru/support/secure/uyazvimosti/mnozhestvennye-uyazvimosti-rubygem-actionpack-cve-2020-8164-cve-2020-8185-cve-2020-8166/?sphrase_id=1074132

CWE

CWE-502

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, Rails Core Team, \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, \u0410\u041e \u00ab\u041a\u043e\u043d\u0446\u0435\u0440\u043d \u0412\u041d\u0418\u0418\u041d\u0421\u00bb",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "9 (Debian GNU/Linux), 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (Astra Linux Special Edition), 2.12 \u00ab\u041e\u0440\u0451\u043b\u00bb (Astra Linux Common Edition), 8 (Debian GNU/Linux), 10 (Debian GNU/Linux), 8.1 \u00ab\u041b\u0435\u043d\u0438\u043d\u0433\u0440\u0430\u0434\u00bb (Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb), \u0434\u043e 5.2.4.3 (Ruby on Rails), \u043e\u0442 6.0.0 \u0434\u043e 6.0.3.1 (Ruby on Rails), 7.3 (\u0420\u0415\u0414 \u041e\u0421), \u0434\u043e 16.01.2023 (\u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f rails:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0434\u043e 5.0.1 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0437\u0434\u043d\u0435\u0439 \u0432\u0435\u0440\u0441\u0438\u0438\n\n\u0414\u043b\u044f Debian:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f (\u043f\u0430\u043a\u0435\u0442\u0430 rails) \u0434\u043e 2:4.2.7.1-1+deb9u3 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0437\u0434\u043d\u0435\u0439 \u0432\u0435\u0440\u0441\u0438\u0438\n\n\u0414\u043b\u044f Astra Linux:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f (\u043f\u0430\u043a\u0435\u0442\u0430 rails) \u0434\u043e 2:4.2.7.1-1+deb9u3 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0437\u0434\u043d\u0435\u0439 \u0432\u0435\u0440\u0441\u0438\u0438\n\u0418\u043b\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f:\nhttps://wiki.astralinux.ru/astra-linux-se16-bulletin-20210730SE16\nhttps://wiki.astralinux.ru/astra-linux-se81-bulletin-20211019SE81\n\n\u0414\u043b\u044f \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f rails \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 2:4.2.7.1-1+deb9u5\n\n\u0414\u043b\u044f \u0420\u0415\u0414 \u041e\u0421:\nhttps://redos.red-soft.ru/support/secure/uyazvimosti/mnozhestvennye-uyazvimosti-rubygem-actionpack-cve-2020-8164-cve-2020-8185-cve-2020-8166/?sphrase_id=1074132",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "19.06.2020",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "01.07.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "15.03.2021",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2021-01346",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2020-8164",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Debian GNU/Linux, Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Astra Linux Common Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164433), Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u211611156), Ruby on Rails, \u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166177)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 9 , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Common Edition 2.12 \u00ab\u041e\u0440\u0451\u043b\u00bb  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164433), \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 8 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb 8.1 \u00ab\u041b\u0435\u043d\u0438\u043d\u0433\u0440\u0430\u0434\u00bb  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u211611156), \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u0410\u041e \u00ab\u041a\u043e\u043d\u0446\u0435\u0440\u043d \u0412\u041d\u0418\u0418\u041d\u0421\u00bb \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb \u0434\u043e 16.01.2023  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166177)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 each_pair \u0438\u0437 strong_parameters.rb \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b Ruby on Rails, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u043c \u0434\u0430\u043d\u043d\u044b\u043c",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0412\u043e\u0441\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u0432 \u043f\u0430\u043c\u044f\u0442\u0438 \u043d\u0435\u0434\u043e\u0441\u0442\u043e\u0432\u0435\u0440\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-502)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 each_pair \u0438\u0437 strong_parameters.rb \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b Ruby on Rails \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0432\u043e\u0441\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435\u043c \u0432 \u043f\u0430\u043c\u044f\u0442\u0438 \u043d\u0435\u0434\u043e\u0441\u0442\u043e\u0432\u0435\u0440\u043d\u043e\u0439 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b \u0434\u0430\u043d\u043d\u044b\u0445. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u043c \u0434\u0430\u043d\u043d\u044b\u043c",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY\nhttps://hackerone.com/reports/292797\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8164\nhttps://security-tracker.debian.org/tracker/CVE-2020-8164\nhttps://wiki.astralinux.ru/astra-linux-se16-bulletin-20210611SE16\nhttps://wiki.astralinux.ru/astra-linux-se81-bulletin-20211019SE81\nhttps://strelets.net/patchi-i-obnovleniya-bezopasnosti#16012023\\\nhttps://redos.red-soft.ru/support/secure/uyazvimosti/mnozhestvennye-uyazvimosti-rubygem-actionpack-cve-2020-8164-cve-2020-8185-cve-2020-8166/?sphrase_id=1074132",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-502",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 5)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.1 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,5)"
}

CNVD-2020-40605

Vulnerability from cnvd - Published: 2020-07-16

Title

Ruby on Rails代码问题漏洞（CNVD-2020-40605）

Description

Ruby on Rails是Rails团队的一套基于Ruby语言的开源Web应用框架。 Ruby on Rails 6.0.3及之前版本中存在安全漏洞。攻击者可利用该漏洞获取信息。

Severity

中

Patch Name

Ruby on Rails代码问题漏洞（CNVD-2020-40605）的补丁

Patch Description

Ruby on Rails是Rails团队的一套基于Ruby语言的开源Web应用框架。 Ruby on Rails 6.0.3及之前版本中存在安全漏洞。攻击者可利用该漏洞获取信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released/

Reference

https://www.auscert.org.au/bulletins/ESB-2020.1780/

Impacted products

Name
['Rails Ruby on Rails <5.2.4.3', 'Rails Ruby on Rails <6.0.3.1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-8164"
    }
  },
  "description": "Ruby on Rails\u662fRails\u56e2\u961f\u7684\u4e00\u5957\u57fa\u4e8eRuby\u8bed\u8a00\u7684\u5f00\u6e90Web\u5e94\u7528\u6846\u67b6\u3002\n\nRuby on Rails 6.0.3\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u4fe1\u606f\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-40605",
  "openTime": "2020-07-16",
  "patchDescription": "Ruby on Rails\u662fRails\u56e2\u961f\u7684\u4e00\u5957\u57fa\u4e8eRuby\u8bed\u8a00\u7684\u5f00\u6e90Web\u5e94\u7528\u6846\u67b6\u3002\r\n\r\nRuby on Rails 6.0.3\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Ruby on Rails\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2020-40605\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Rails Ruby on Rails \u003c5.2.4.3",
      "Rails Ruby on Rails \u003c6.0.3.1"
    ]
  },
  "referenceLink": "https://www.auscert.org.au/bulletins/ESB-2020.1780/",
  "serverity": "\u4e2d",
  "submitTime": "2020-05-21",
  "title": "Ruby on Rails\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2020-40605\uff09"
}

FKIE_CVE-2020-8164

Vulnerability from fkie_nvd - Published: 2020-06-19 17:15 - Updated: 2024-11-21 05:38

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.

References

URL	Tags
support@hackerone.com	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html	Mailing List, Third Party Advisory
support@hackerone.com	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html	Mailing List, Third Party Advisory
support@hackerone.com	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html	Mailing List, Third Party Advisory
support@hackerone.com	https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY	Patch, Third Party Advisory
support@hackerone.com	https://hackerone.com/reports/292797	Exploit, Patch, Third Party Advisory
support@hackerone.com	https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html	Mailing List, Third Party Advisory
support@hackerone.com	https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html	Mailing List, Third Party Advisory
support@hackerone.com	https://www.debian.org/security/2020/dsa-4766	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://hackerone.com/reports/292797	Exploit, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.debian.org/security/2020/dsa-4766	Third Party Advisory

Impacted products

Vendor	Product	Version
rubyonrails	rails	*
rubyonrails	rails	*
debian	debian_linux	8.0
debian	debian_linux	9.0
debian	debian_linux	10.0
opensuse	backports_sle	15.0
opensuse	leap	15.1
opensuse	leap	15.2

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4357891D-A07C-4E1B-B540-92D6C477E7BB",
              "versionEndExcluding": "5.2.4.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "12B5617A-91AC-4B94-BE1A-057DBF322808",
              "versionEndExcluding": "6.0.3.1",
              "versionStartIncluding": "6.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*",
              "matchCriteriaId": "40513095-7E6E-46B3-B604-C926F1BA3568",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A deserialization of untrusted data vulnerability exists in rails \u003c 5.2.4.3, rails \u003c 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters."
    },
    {
      "lang": "es",
      "value": "Se presenta una vulnerabilidad de deserializaci\u00f3n de datos no confiables en rails versiones anteriores a 5.2.4.3, rails versiones anteriores a 6.0.3.1, que pueden permitir a un atacante suministrar informaci\u00f3n en la que pueden ser filtrados inadvertidamente par\u00e1metros fromStrong"
    }
  ],
  "id": "CVE-2020-8164",
  "lastModified": "2024-11-21T05:38:25.023",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-06-19T17:15:18.677",
  "references": [
    {
      "source": "support@hackerone.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Exploit",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://hackerone.com/reports/292797"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2020/dsa-4766"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://hackerone.com/reports/292797"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2020/dsa-4766"
    }
  ],
  "sourceIdentifier": "support@hackerone.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "support@hackerone.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-8727-M6GJ-MC37

Vulnerability from github – Published: 2020-05-26 15:09 – Updated: 2023-09-25 16:55

Summary

Possible Strong Parameters Bypass in ActionPack

Details

There is a strong parameters bypass vector in ActionPack.

Versions Affected: rails <= 6.0.3 Not affected: rails < 5.0.0 Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact

In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of each, or each_value, or each_pair will return the underlying "untrusted" hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input.

Impacted code will look something like this:

def update
  # Attacker has included the parameter: `{ is_admin: true }`
  User.update(clean_up_params)
end

def clean_up_params
   params.each { |k, v|  SomeModel.check(v) if k == :name }
end

Note the mistaken use of each in the clean_up_params method in the above example.

Workarounds

Do not use the return values of each, each_value, or each_pair in your application.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.2.4.2"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.0.3"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.0.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-8164"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-05-26T15:06:53Z",
    "nvd_published_at": "2020-06-19T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "There is a strong parameters bypass vector in ActionPack.\n\nVersions Affected:  rails \u003c= 6.0.3\nNot affected:       rails \u003c 5.0.0\nFixed Versions:     rails \u003e= 5.2.4.3, rails \u003e= 6.0.3.1\n\nImpact\n------\nIn some cases user supplied information can be inadvertently leaked from\nStrong Parameters.  Specifically the return value of `each`, or `each_value`,\nor `each_pair` will return the underlying \"untrusted\" hash of data that was\nread from the parameters.  Applications that use this return value may be\ninadvertently use untrusted user input.\n\nImpacted code will look something like this:\n\n```\ndef update\n  # Attacker has included the parameter: `{ is_admin: true }`\n  User.update(clean_up_params)\nend\n\ndef clean_up_params\n   params.each { |k, v|  SomeModel.check(v) if k == :name }\nend\n```\n\nNote the mistaken use of `each` in the `clean_up_params` method in the above\nexample.\n\nWorkarounds\n-----------\nDo not use the return values of `each`, `each_value`, or `each_pair` in your\napplication.",
  "id": "GHSA-8727-m6gj-mc37",
  "modified": "2023-09-25T16:55:14Z",
  "published": "2020-05-26T15:09:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8164"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/292797"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rails/rails"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8164.yml"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4766"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Possible Strong Parameters Bypass in ActionPack"
}

GSD-2020-8164

Vulnerability from gsd - Updated: 2020-05-18 00:00

Details

There is a strong parameters bypass vector in ActionPack. Versions Affected: rails <= 6.0.3 Not affected: rails < 4.0.0 Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of `each`, or `each_value`, or `each_pair` will return the underlying "untrusted" hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input. Impacted code will look something like this: ``` def update # Attacker has included the parameter: `{ is_admin: true }` User.update(clean_up_params) end def clean_up_params params.each { |k, v| SomeModel.check(v) if k == :name } end ``` Note the mistaken use of `each` in the `clean_up_params` method in the above example. Workarounds ----------- Do not use the return values of `each`, `each_value`, or `each_pair` in your application.

Aliases

CVE-2020-8164

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-8164",
    "description": "A deserialization of untrusted data vulnerability exists in rails \u003c 5.2.4.3, rails \u003c 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.",
    "id": "GSD-2020-8164",
    "references": [
      "https://www.suse.com/security/cve/CVE-2020-8164.html",
      "https://www.debian.org/security/2020/dsa-4766",
      "https://access.redhat.com/errata/RHSA-2021:1313"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "actionpack",
            "purl": "pkg:gem/actionpack"
          }
        }
      ],
      "aliases": [
        "CVE-2020-8164",
        "GHSA-8727-m6gj-mc37"
      ],
      "details": "There is a strong parameters bypass vector in ActionPack.\n\nVersions Affected:  rails \u003c= 6.0.3\nNot affected:       rails \u003c 4.0.0\nFixed Versions:     rails \u003e= 5.2.4.3, rails \u003e= 6.0.3.1\n\nImpact\n------\nIn some cases user supplied information can be inadvertently leaked from\nStrong Parameters.  Specifically the return value of `each`, or `each_value`,\nor `each_pair` will return the underlying \"untrusted\" hash of data that was\nread from the parameters.  Applications that use this return value may be\ninadvertently use untrusted user input.\n\nImpacted code will look something like this:\n\n```\ndef update\n  # Attacker has included the parameter: `{ is_admin: true }`\n  User.update(clean_up_params)\nend\n\ndef clean_up_params\n   params.each { |k, v|  SomeModel.check(v) if k == :name }\nend\n```\n\nNote the mistaken use of `each` in the `clean_up_params` method in the above\nexample.\n\nWorkarounds\n-----------\nDo not use the return values of `each`, `each_value`, or `each_pair` in your\napplication.\n",
      "id": "GSD-2020-8164",
      "modified": "2020-05-18T00:00:00.000Z",
      "published": "2020-05-18T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 7.5,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Possible Strong Parameters Bypass in ActionPack"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "support@hackerone.com",
        "ID": "CVE-2020-8164",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "https://github.com/rails/rails",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "5.2.4.3, 6.0.3.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A deserialization of untrusted data vulnerability exists in rails \u003c 5.2.4.3, rails \u003c 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Deserialization of Untrusted Data (CWE-502)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://hackerone.com/reports/292797",
            "refsource": "MISC",
            "url": "https://hackerone.com/reports/292797"
          },
          {
            "name": "https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY",
            "refsource": "MISC",
            "url": "https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY"
          },
          {
            "name": "[debian-lts-announce] 20200619 [SECURITY] [DLA 2251-1] rails security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html"
          },
          {
            "name": "[debian-lts-announce] 20200720 [SECURITY] [DLA 2282-1] rails security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html"
          },
          {
            "name": "DSA-4766",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2020/dsa-4766"
          },
          {
            "name": "openSUSE-SU-2020:1533",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html"
          },
          {
            "name": "openSUSE-SU-2020:1536",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html"
          },
          {
            "name": "openSUSE-SU-2020:1575",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2020-8164",
      "cvss_v3": 7.5,
      "date": "2020-05-18",
      "description": "There is a strong parameters bypass vector in ActionPack.\n\nVersions Affected:  rails \u003c= 6.0.3\nNot affected:       rails \u003c 4.0.0\nFixed Versions:     rails \u003e= 5.2.4.3, rails \u003e= 6.0.3.1\n\nImpact\n------\nIn some cases user supplied information can be inadvertently leaked from\nStrong Parameters.  Specifically the return value of `each`, or `each_value`,\nor `each_pair` will return the underlying \"untrusted\" hash of data that was\nread from the parameters.  Applications that use this return value may be\ninadvertently use untrusted user input.\n\nImpacted code will look something like this:\n\n```\ndef update\n  # Attacker has included the parameter: `{ is_admin: true }`\n  User.update(clean_up_params)\nend\n\ndef clean_up_params\n   params.each { |k, v|  SomeModel.check(v) if k == :name }\nend\n```\n\nNote the mistaken use of `each` in the `clean_up_params` method in the above\nexample.\n\nWorkarounds\n-----------\nDo not use the return values of `each`, `each_value`, or `each_pair` in your\napplication.\n",
      "framework": "rails",
      "gem": "actionpack",
      "ghsa": "8727-m6gj-mc37",
      "patched_versions": [
        "~\u003e 5.2.4, \u003e= 5.2.4.3",
        "\u003e= 6.0.3.1"
      ],
      "title": "Possible Strong Parameters Bypass in ActionPack",
      "unaffected_versions": [
        "\u003c 4.0.0"
      ],
      "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c5.2.4.3||\u003e=6.0.0 \u003c6.0.3.1",
          "affected_versions": "All versions before 5.2.4.3, all versions starting from 6.0.0 before 6.0.3.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-502",
            "CWE-937"
          ],
          "date": "2020-09-30",
          "description": "A deserialization of untrusted data vulnerability exists in rails, rails which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.",
          "fixed_versions": [
            "5.2.4.3",
            "6.0.3.1"
          ],
          "identifier": "CVE-2020-8164",
          "identifiers": [
            "CVE-2020-8164"
          ],
          "not_impacted": "All versions starting from 5.2.4.3 before 6.0.0, all versions starting from 6.0.3.1",
          "package_slug": "gem/actionpack",
          "pubdate": "2020-06-19",
          "solution": "Upgrade to versions 5.2.4.3, 6.0.3.1 or above.",
          "title": "Deserialization of Untrusted Data",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-8164"
          ],
          "uuid": "d5fa99f8-5ef4-439f-8689-adaf4477fece"
        },
        {
          "affected_range": "\u003c5.2.4.3||\u003e=6.0.0 \u003c6.0.3.1",
          "affected_versions": "All versions before 5.2.4.3, all versions starting from 6.0.0 before 6.0.3.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-502",
            "CWE-937"
          ],
          "date": "2020-09-30",
          "description": "A deserialization of untrusted data vulnerability exists in rails which can allow an attacker to supply information can be inadvertently leaked.",
          "fixed_versions": [
            "5.2.4.3",
            "6.0.3.1"
          ],
          "identifier": "CVE-2020-8164",
          "identifiers": [
            "CVE-2020-8164"
          ],
          "not_impacted": "All versions starting from 5.2.4.3 before 6.0.0, all versions starting from 6.0.3.1",
          "package_slug": "gem/rails",
          "pubdate": "2020-06-19",
          "solution": "Upgrade to versions 5.2.4.3, 6.0.3.1 or above.",
          "title": "Deserialization of Untrusted Data",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-8164"
          ],
          "uuid": "e4ee7df0-2905-4bb3-8dd5-81f33b6fc530"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.0.3.1",
                "versionStartIncluding": "6.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.2.4.3",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-assignments@hackerone.com",
          "ID": "CVE-2020-8164"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A deserialization of untrusted data vulnerability exists in rails \u003c 5.2.4.3, rails \u003c 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-502"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://hackerone.com/reports/292797",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://hackerone.com/reports/292797"
            },
            {
              "name": "https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY"
            },
            {
              "name": "[debian-lts-announce] 20200619 [SECURITY] [DLA 2251-1] rails security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html"
            },
            {
              "name": "[debian-lts-announce] 20200720 [SECURITY] [DLA 2282-1] rails security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html"
            },
            {
              "name": "DSA-4766",
              "refsource": "DEBIAN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.debian.org/security/2020/dsa-4766"
            },
            {
              "name": "openSUSE-SU-2020:1533",
              "refsource": "SUSE",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html"
            },
            {
              "name": "openSUSE-SU-2020:1536",
              "refsource": "SUSE",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html"
            },
            {
              "name": "openSUSE-SU-2020:1575",
              "refsource": "SUSE",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-05-24T16:44Z",
      "publishedDate": "2020-06-19T17:15Z"
    }
  }
}

OPENSUSE-SU-2020:1533-1

Vulnerability from csaf_opensuse - Published: 2020-09-25 18:21 - Updated: 2020-09-25 18:21

Summary

Security update for rubygem-actionpack-5_1

Severity

Important

Notes

Title of the patch: Security update for rubygem-actionpack-5_1

Description of the patch: This update for rubygem-actionpack-5_1 fixes the following issues: - CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack. There is a strong parameters bypass vector in ActionPack. (bsc#1172177) This update was imported from the SUSE:SLE-15:Update update project.

Patchnames: openSUSE-2020-1533

CVE-2020-8164

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Recommended 2 products

Product	Identifier	Version	Remediation
Unresolved product id: openSUSE Leap 15.1:ruby2.5-rubygem-actionpack-5_1-5.1.4-lp151.4.3.1.x86_64		—	Vendor Fix
Unresolved product id: openSUSE Leap 15.1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp151.4.3.1.x86_64		—	Vendor Fix

Threats

Impact important

References

8 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://lists.opensuse.org/archives/list/security…	self
https://lists.opensuse.org/archives/list/security…	self
https://bugzilla.suse.com/1172177	self
https://www.suse.com/security/cve/CVE-2020-8164/	self
https://www.suse.com/security/cve/CVE-2020-8164	external
https://bugzilla.suse.com/1172177	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for rubygem-actionpack-5_1",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for rubygem-actionpack-5_1 fixes the following issues:\n\n- CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack.\n  There is a strong parameters bypass vector in ActionPack.\n  (bsc#1172177)\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2020-1533",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_1533-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2020:1533-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YAGJKTI3HWBTO3LRFKJMAOSFK2HM6CLR/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2020:1533-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YAGJKTI3HWBTO3LRFKJMAOSFK2HM6CLR/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1172177",
        "url": "https://bugzilla.suse.com/1172177"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-8164 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-8164/"
      }
    ],
    "title": "Security update for rubygem-actionpack-5_1",
    "tracking": {
      "current_release_date": "2020-09-25T18:21:50Z",
      "generator": {
        "date": "2020-09-25T18:21:50Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2020:1533-1",
      "initial_release_date": "2020-09-25T18:21:50Z",
      "revision_history": [
        {
          "date": "2020-09-25T18:21:50Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-actionpack-5_1-5.1.4-lp151.4.3.1.x86_64",
                "product": {
                  "name": "ruby2.5-rubygem-actionpack-5_1-5.1.4-lp151.4.3.1.x86_64",
                  "product_id": "ruby2.5-rubygem-actionpack-5_1-5.1.4-lp151.4.3.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp151.4.3.1.x86_64",
                "product": {
                  "name": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp151.4.3.1.x86_64",
                  "product_id": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp151.4.3.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.1",
                "product": {
                  "name": "openSUSE Leap 15.1",
                  "product_id": "openSUSE Leap 15.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionpack-5_1-5.1.4-lp151.4.3.1.x86_64 as component of openSUSE Leap 15.1",
          "product_id": "openSUSE Leap 15.1:ruby2.5-rubygem-actionpack-5_1-5.1.4-lp151.4.3.1.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-actionpack-5_1-5.1.4-lp151.4.3.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp151.4.3.1.x86_64 as component of openSUSE Leap 15.1",
          "product_id": "openSUSE Leap 15.1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp151.4.3.1.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp151.4.3.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-8164",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-8164"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A deserialization of untrusted data vulnerability exists in rails \u003c 5.2.4.3, rails \u003c 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.1:ruby2.5-rubygem-actionpack-5_1-5.1.4-lp151.4.3.1.x86_64",
          "openSUSE Leap 15.1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp151.4.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-8164",
          "url": "https://www.suse.com/security/cve/CVE-2020-8164"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172177 for CVE-2020-8164",
          "url": "https://bugzilla.suse.com/1172177"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.1:ruby2.5-rubygem-actionpack-5_1-5.1.4-lp151.4.3.1.x86_64",
            "openSUSE Leap 15.1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp151.4.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.1:ruby2.5-rubygem-actionpack-5_1-5.1.4-lp151.4.3.1.x86_64",
            "openSUSE Leap 15.1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp151.4.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-09-25T18:21:50Z",
          "details": "important"
        }
      ],
      "title": "CVE-2020-8164"
    }
  ]
}

OPENSUSE-SU-2020:1536-1

Vulnerability from csaf_opensuse - Published: 2020-09-26 04:20 - Updated: 2020-09-26 04:20

Summary

Security update for rubygem-actionpack-5_1

Severity

Important

Notes

Title of the patch: Security update for rubygem-actionpack-5_1

Patchnames: openSUSE-2020-1536

CVE-2020-8164

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Recommended 2 products

Product	Identifier	Version	Remediation
Unresolved product id: openSUSE Leap 15.2:ruby2.5-rubygem-actionpack-5_1-5.1.4-lp152.5.3.1.x86_64		—	Vendor Fix
Unresolved product id: openSUSE Leap 15.2:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp152.5.3.1.x86_64		—	Vendor Fix

Threats

Impact important

References

8 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://lists.opensuse.org/archives/list/security…	self
https://lists.opensuse.org/archives/list/security…	self
https://bugzilla.suse.com/1172177	self
https://www.suse.com/security/cve/CVE-2020-8164/	self
https://www.suse.com/security/cve/CVE-2020-8164	external
https://bugzilla.suse.com/1172177	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for rubygem-actionpack-5_1",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for rubygem-actionpack-5_1 fixes the following issues:\n\n- CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack.\n  There is a strong parameters bypass vector in ActionPack.\n  (bsc#1172177)\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2020-1536",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_1536-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2020:1536-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PHHJOKTVBY6KIPAX5EYDAV5V4DOJKUXD/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2020:1536-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PHHJOKTVBY6KIPAX5EYDAV5V4DOJKUXD/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1172177",
        "url": "https://bugzilla.suse.com/1172177"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-8164 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-8164/"
      }
    ],
    "title": "Security update for rubygem-actionpack-5_1",
    "tracking": {
      "current_release_date": "2020-09-26T04:20:41Z",
      "generator": {
        "date": "2020-09-26T04:20:41Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2020:1536-1",
      "initial_release_date": "2020-09-26T04:20:41Z",
      "revision_history": [
        {
          "date": "2020-09-26T04:20:41Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-actionpack-5_1-5.1.4-lp152.5.3.1.x86_64",
                "product": {
                  "name": "ruby2.5-rubygem-actionpack-5_1-5.1.4-lp152.5.3.1.x86_64",
                  "product_id": "ruby2.5-rubygem-actionpack-5_1-5.1.4-lp152.5.3.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp152.5.3.1.x86_64",
                "product": {
                  "name": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp152.5.3.1.x86_64",
                  "product_id": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp152.5.3.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.2",
                "product": {
                  "name": "openSUSE Leap 15.2",
                  "product_id": "openSUSE Leap 15.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.2"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionpack-5_1-5.1.4-lp152.5.3.1.x86_64 as component of openSUSE Leap 15.2",
          "product_id": "openSUSE Leap 15.2:ruby2.5-rubygem-actionpack-5_1-5.1.4-lp152.5.3.1.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-actionpack-5_1-5.1.4-lp152.5.3.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp152.5.3.1.x86_64 as component of openSUSE Leap 15.2",
          "product_id": "openSUSE Leap 15.2:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp152.5.3.1.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp152.5.3.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.2"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-8164",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-8164"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A deserialization of untrusted data vulnerability exists in rails \u003c 5.2.4.3, rails \u003c 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.2:ruby2.5-rubygem-actionpack-5_1-5.1.4-lp152.5.3.1.x86_64",
          "openSUSE Leap 15.2:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp152.5.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-8164",
          "url": "https://www.suse.com/security/cve/CVE-2020-8164"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172177 for CVE-2020-8164",
          "url": "https://bugzilla.suse.com/1172177"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.2:ruby2.5-rubygem-actionpack-5_1-5.1.4-lp152.5.3.1.x86_64",
            "openSUSE Leap 15.2:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp152.5.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.2:ruby2.5-rubygem-actionpack-5_1-5.1.4-lp152.5.3.1.x86_64",
            "openSUSE Leap 15.2:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp152.5.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-09-26T04:20:41Z",
          "details": "important"
        }
      ],
      "title": "CVE-2020-8164"
    }
  ]
}

OPENSUSE-SU-2020:1575-1

Vulnerability from csaf_opensuse - Published: 2020-09-29 08:24 - Updated: 2020-09-29 08:24

Summary

Security update for rubygem-actionpack-5_1

Severity

Important

Notes

Title of the patch: Security update for rubygem-actionpack-5_1

Patchnames: openSUSE-2020-1575

CVE-2020-8164

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.x86_64	—	Vendor Fix

Threats

Impact important

References

8 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://lists.opensuse.org/archives/list/security…	self
https://lists.opensuse.org/archives/list/security…	self
https://bugzilla.suse.com/1172177	self
https://www.suse.com/security/cve/CVE-2020-8164/	self
https://www.suse.com/security/cve/CVE-2020-8164	external
https://bugzilla.suse.com/1172177	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for rubygem-actionpack-5_1",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for rubygem-actionpack-5_1 fixes the following issues:\n\n- CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack.\n  There is a strong parameters bypass vector in ActionPack.\n  (bsc#1172177)\n\nThis update was imported from the SUSE:SLE-15:Update update project.\nThis update was imported from the openSUSE:Leap:15.1:Update update project.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2020-1575",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_1575-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2020:1575-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YHTPGMTLIHWW2HEZZYLTXZTKJJHRRRNO/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2020:1575-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YHTPGMTLIHWW2HEZZYLTXZTKJJHRRRNO/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1172177",
        "url": "https://bugzilla.suse.com/1172177"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-8164 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-8164/"
      }
    ],
    "title": "Security update for rubygem-actionpack-5_1",
    "tracking": {
      "current_release_date": "2020-09-29T08:24:54Z",
      "generator": {
        "date": "2020-09-29T08:24:54Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2020:1575-1",
      "initial_release_date": "2020-09-29T08:24:54Z",
      "revision_history": [
        {
          "date": "2020-09-29T08:24:54Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.aarch64",
                "product": {
                  "name": "ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.aarch64",
                  "product_id": "ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.aarch64",
                "product": {
                  "name": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.aarch64",
                  "product_id": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.ppc64le",
                "product": {
                  "name": "ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.ppc64le",
                  "product_id": "ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.ppc64le",
                "product": {
                  "name": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.ppc64le",
                  "product_id": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.s390x",
                "product": {
                  "name": "ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.s390x",
                  "product_id": "ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.s390x",
                "product": {
                  "name": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.s390x",
                  "product_id": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.x86_64",
                "product": {
                  "name": "ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.x86_64",
                  "product_id": "ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.x86_64",
                "product": {
                  "name": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.x86_64",
                  "product_id": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Package Hub 15 SP1",
                "product": {
                  "name": "SUSE Package Hub 15 SP1",
                  "product_id": "SUSE Package Hub 15 SP1"
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.aarch64 as component of SUSE Package Hub 15 SP1",
          "product_id": "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.aarch64"
        },
        "product_reference": "ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.aarch64",
        "relates_to_product_reference": "SUSE Package Hub 15 SP1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.ppc64le as component of SUSE Package Hub 15 SP1",
          "product_id": "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.ppc64le"
        },
        "product_reference": "ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.ppc64le",
        "relates_to_product_reference": "SUSE Package Hub 15 SP1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.s390x as component of SUSE Package Hub 15 SP1",
          "product_id": "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.s390x"
        },
        "product_reference": "ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.s390x",
        "relates_to_product_reference": "SUSE Package Hub 15 SP1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.x86_64 as component of SUSE Package Hub 15 SP1",
          "product_id": "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.x86_64",
        "relates_to_product_reference": "SUSE Package Hub 15 SP1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.aarch64 as component of SUSE Package Hub 15 SP1",
          "product_id": "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.aarch64"
        },
        "product_reference": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.aarch64",
        "relates_to_product_reference": "SUSE Package Hub 15 SP1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.ppc64le as component of SUSE Package Hub 15 SP1",
          "product_id": "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.ppc64le"
        },
        "product_reference": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.ppc64le",
        "relates_to_product_reference": "SUSE Package Hub 15 SP1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.s390x as component of SUSE Package Hub 15 SP1",
          "product_id": "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.s390x"
        },
        "product_reference": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.s390x",
        "relates_to_product_reference": "SUSE Package Hub 15 SP1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.x86_64 as component of SUSE Package Hub 15 SP1",
          "product_id": "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.x86_64",
        "relates_to_product_reference": "SUSE Package Hub 15 SP1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-8164",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-8164"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A deserialization of untrusted data vulnerability exists in rails \u003c 5.2.4.3, rails \u003c 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.aarch64",
          "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.ppc64le",
          "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.s390x",
          "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.x86_64",
          "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.aarch64",
          "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.ppc64le",
          "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.s390x",
          "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-8164",
          "url": "https://www.suse.com/security/cve/CVE-2020-8164"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172177 for CVE-2020-8164",
          "url": "https://bugzilla.suse.com/1172177"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.aarch64",
            "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.ppc64le",
            "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.s390x",
            "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.x86_64",
            "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.aarch64",
            "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.ppc64le",
            "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.s390x",
            "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.aarch64",
            "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.ppc64le",
            "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.s390x",
            "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-5_1-5.1.4-bp151.2.3.1.x86_64",
            "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.aarch64",
            "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.ppc64le",
            "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.s390x",
            "SUSE Package Hub 15 SP1:ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-bp151.2.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-09-29T08:24:54Z",
          "details": "important"
        }
      ],
      "title": "CVE-2020-8164"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-8164 (GCVE-0-2020-8164)

Solution

Solution

Impact

Workarounds

Tags

Sightings

Nomenclature