cfscode / resque-web

a Rails-based web interface to Resque
0 stars 0 forks source link

CVE-2020-8130 (Medium) detected in rake-12.0.0.gem #29

Open mend-bolt-for-github[bot] opened 3 years ago

mend-bolt-for-github[bot] commented 3 years ago

CVE-2020-8130 - Medium Severity Vulnerability

Vulnerable Library - rake-12.0.0.gem

Rake is a Make-like program implemented in Ruby. Tasks and dependencies are specified in standard Ruby syntax. Rake has the following features: * Rakefiles (rake's version of Makefiles) are completely defined in standard Ruby syntax. No XML files to edit. No quirky Makefile syntax to worry about (is that a tab or a space?) * Users can specify tasks with prerequisites. * Rake supports rule patterns to synthesize implicit tasks. * Flexible FileLists that act like arrays but know about manipulating file names and paths. * Supports parallel execution of tasks.

Library home page: https://rubygems.org/gems/rake-12.0.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /Gemfile.lock

Dependency Hierarchy: - dotenv-rails-2.2.0.gem (Root Library) - railties-5.0.2.gem - :x: **rake-12.0.0.gem** (Vulnerable Library)

Found in base branch: master

Vulnerability Details

There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`.

Publish Date: 2020-02-24

URL: CVE-2020-8130

CVSS 3 Score Details (6.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8130

Release Date: 2020-02-24

Fix Resolution: v12.3.3


Step up your Open Source Security Game with Mend here