CVE-2020-8164

Опубликовано: 18 мая 2020

Источник: redhat

CVSS3: 7.5

EPSS Низкий

Описание

A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.

A flaw was found in rubygem-actionpack. Untrusted hashes of data is possible for values of each, each_value, and each_pair which can lead to cases of user supplied information being leaked from Strong Parameters. Applications that use these hashes may inadvertently use untrusted user input. The highest risk from this vulnerability is to data confidentiality.

Отчет

Red Hat CloudForms and Red Hat Satellite ship affected RubyGem actionpack and uses strong parameters, however, products are not vulnerable since safe return values are used in product code.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
CloudForms Management Engine 5	cfme-amazon-smartstate	Not affected
CloudForms Management Engine 5	cfme-gemset	Will not fix
Red Hat Satellite 6.9 for RHEL 7	ansible-collection-redhat-satellite	Fixed	RHSA-2021:1313	21.04.2021
Red Hat Satellite 6.9 for RHEL 7	ansiblerole-foreman_scap_client	Fixed	RHSA-2021:1313	21.04.2021
Red Hat Satellite 6.9 for RHEL 7	ansiblerole-insights-client	Fixed	RHSA-2021:1313	21.04.2021
Red Hat Satellite 6.9 for RHEL 7	ansiblerole-satellite-receptor-installer	Fixed	RHSA-2021:1313	21.04.2021
Red Hat Satellite 6.9 for RHEL 7	ansible-runner	Fixed	RHSA-2021:1313	21.04.2021
Red Hat Satellite 6.9 for RHEL 7	candlepin	Fixed	RHSA-2021:1313	21.04.2021
Red Hat Satellite 6.9 for RHEL 7	createrepo_c	Fixed	RHSA-2021:1313	21.04.2021
Red Hat Satellite 6.9 for RHEL 7	foreman	Fixed	RHSA-2021:1313	21.04.2021

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-200

https://bugzilla.redhat.com/show_bug.cgi?id=1842634rubygem-actionpack: possible strong parameters bypass

EPSS

Процентиль: 90%

0.05862

Низкий

7.5 High

CVSS3

Связанные уязвимости

CVE-2020-8164

CVSS3: 7.5

ubuntu

около 5 лет назад

A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.

CVE-2020-8164

CVSS3: 7.5

nvd

около 5 лет назад

A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.

CVE-2020-8164

CVSS3: 7.5

debian

около 5 лет назад

A deserialization of untrusted data vulnerability exists in rails < 5. ...

openSUSE-SU-2020:1536-1

suse-cvrf

почти 5 лет назад

Security update for rubygem-actionpack-5_1

openSUSE-SU-2020:1533-1

suse-cvrf

почти 5 лет назад

Security update for rubygem-actionpack-5_1

EPSS

Процентиль: 90%

0.05862

Низкий

7.5 High

CVSS3