Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-8163

EPSS 91.07% · P100
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2020-8163

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Description
The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Ruby on Rails 代码注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Ruby on Rails是Rails团队的一套基于Ruby语言的开源Web应用框架。 Ruby on Rails 5.0.1之前版本中存在代码注入漏洞。远程攻击者可利用该漏洞执行代码。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

VendorProductAffected VersionsCPESubscribe
-https://github.com/rails/rails Fixed in 4.2.11.2 -

II. Public POCs for CVE-2020-8163

#POC DescriptionSource LinkShenlong Link
1CVE-2020-8163 - Remote code execution of user-provided local names in Railshttps://github.com/lucasallan/CVE-2020-8163POC Details
2Enviroment and exploit to rce testhttps://github.com/h4ms1k/CVE-2020-8163POC Details
3This is a exploit code for CVE-2020-8163https://github.com/TK-Elliot/CVE-2020-8163POC Details
4This is a exploit code for CVE-2020-8163https://github.com/RedPhantomRoot/CVE-2020-8163POC Details
5This is a exploit code for CVE-2020-8163https://github.com/RedBinaryRabbit/CVE-2020-8163POC Details
6Ruby on Rails before version 5.0.1 is susceptible to remote code execution because it passes user parameters as local variables into partials.https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-8163.yamlPOC Details
7CVE-2020-8163 - Remote code execution of user-provided local names in Railshttps://github.com/lucasamorimca/CVE-2020-8163POC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2020-8163

登录查看更多情报信息。

Same Patch Batch · n/a · 2020-07-02 · 19 CVEs total

CVE-2020-12119Ledger Live 安全漏洞
CVE-2020-8161RubyGem Rack 路径遍历漏洞
CVE-2020-15503LibRaw 输入验证错误漏洞
CVE-2020-15502DuckDuckGo application 信息泄露漏洞
CVE-2020-5911F5 NGINX Controller 安全漏洞
CVE-2020-5910F5 NGINX Controller 授权问题漏洞
CVE-2020-5909F5 NGINX Controller 信任管理问题漏洞
CVE-2020-9497Apache Guacamole 信息泄露漏洞
CVE-2020-9498Apache Guacamole 缓冲区错误漏洞
CVE-2020-15469QEMU 代码问题漏洞
CVE-2020-13653Zimbra Collaboration Suite 跨站脚本漏洞
CVE-2020-14092WordPress CodePeople Payment Form for PayPal Pro SQL注入漏洞
CVE-2019-20894Containous Traefik 信任管理问题漏洞
CVE-2020-8185Rails 资源管理错误漏洞
CVE-2020-8188Ubiquiti UniFi Protect 命令注入漏洞
CVE-2020-8166Ruby on Rails 跨站请求伪造漏洞
CVE-2020-8179Nextcloud Deck 访问控制错误漏洞
CVE-2020-8176koa-shopify-auth 跨站脚本漏洞

IV. Related Vulnerabilities

Same product: https://github.com/rails/rails
Same vendor: n/a
Same weakness: CWE-94

V. Comments for CVE-2020-8163

No comments yet

Leave a comment