A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
In ActiveSupport, there is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when untrusted user input is written to the cache store using the raw: true parameter, re-reading the result from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like: data = cache.fetch("demo", raw: true) { untrusted_string }
CVE-2020-8165 - High Severity Vulnerability
Vulnerable Library - activesupport-5.2.4.2.gem
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-5.2.4.2.gem
Path to dependency file: /tmp/ws-scm/chaltron/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.5.0/cache/activesupport-5.2.4.2.gem
Dependency Hierarchy: - coffee-rails-4.2.2.gem (Root Library) - railties-5.2.4.2.gem - actionpack-5.2.4.2.gem - rails-dom-testing-2.0.3.gem - :x: **activesupport-5.2.4.2.gem** (Vulnerable Library)
Found in HEAD commit: 1b50f621103349895a1a437eea1f48393a237a04
Vulnerability Details
In ActiveSupport, there is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when untrusted user input is written to the cache store using the raw: true parameter, re-reading the result from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like: data = cache.fetch("demo", raw: true) { untrusted_string }
Publish Date: 2020-05-31
URL: CVE-2020-8165
CVSS 3 Score Details (9.8)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/advisories/GHSA-2p68-f74v-9wc6
Release Date: 2020-05-31
Fix Resolution: 5.2.4.3,6.0.3.1
Step up your Open Source Security Game with WhiteSource here