activesupport is vulnerable to arbitrary code execution. The vulnerability exists as the user input written to the cache store using the raw: true
parameter can cause the cached code to be evaluated when read again.
CPE | Name | Operator | Version |
---|---|---|---|
activesupport | le | 5.2.4.2 | |
activesupport | le | 6.0.3 | |
rails:stretch | eq | 2:4.2.7.1-1+deb9u2 | |
rails:buster | eq | 2:5.2.2.1+dfsg-1+deb10u1 |
lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html
lists.opensuse.org/opensuse-security-announce/2020-10/msg00034.html
github.com/advisories/GHSA-2p68-f74v-9wc6
github.com/rails/rails/commit/0a7ce52486adb36984174bd51257a0069fe7a9db
github.com/rails/rails/commit/f7e077f85e61fc0b7381963eda0ceb0e457546b5
github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2020-8165.yml
groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c
hackerone.com/reports/413388
lists.debian.org/debian-lts-announce/2020/06/msg00022.html
lists.debian.org/debian-lts-announce/2020/07/msg00013.html
weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released/
www.debian.org/security/2020/dsa-4766