[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

250770

 
 

909

 
 

196157

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2020-8165Date: (C)2020-06-22   (M)2023-12-22


A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score : 9.8CVSS Score : 7.5
Exploit Score: 3.9Exploit Score: 10.0
Impact Score: 5.9Impact Score: 6.4
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: NETWORKAccess Vector: NETWORK
Attack Complexity: LOWAccess Complexity: LOW
Privileges Required: NONEAuthentication: NONE
User Interaction: NONEConfidentiality: PARTIAL
Scope: UNCHANGEDIntegrity: PARTIAL
Confidentiality: HIGHAvailability: PARTIAL
Integrity: HIGH 
Availability: HIGH 
  
Reference:
DSA-4766
https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html
https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c
https://hackerone.com/reports/413388
https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released/
openSUSE-SU-2020:1677
openSUSE-SU-2020:1679

CPE    3
cpe:/o:debian:debian_linux:9.0
cpe:/a:rubyonrails:rails
cpe:/o:debian:debian_linux:8.0
CWE    1
CWE-502
OVAL    5
oval:org.secpod.oval:def:66682
oval:org.secpod.oval:def:89050275
oval:org.secpod.oval:def:605049
oval:org.secpod.oval:def:89050237
...

© SecPod Technologies