CVE-2020-8130 (High) detected in rake-10.2.2.gem #34
Description
CVE-2020-8130 - High Severity Vulnerability
Vulnerable Library - rake-10.2.2.gem
Rake is a Make-like program implemented in Ruby. Tasks and dependencies are specified in standard Ruby syntax.
Rake has the following features:
-
Rakefiles (rake's version of Makefiles) are completely defined in
standard Ruby syntax. No XML files to edit. No quirky Makefile
syntax to worry about (is that a tab or a space?) -
Users can specify tasks with prerequisites.
-
Rake supports rule patterns to synthesize implicit tasks.
-
Flexible FileLists that act like arrays but know about manipulating
file names and paths. -
A library of prepackaged tasks to make building rakefiles easier. For example,
tasks for building tarballs and publishing to FTP or SSH sites. (Formerly
tasks for building RDoc and Gems were included in rake but they're now
available in RDoc and RubyGems respectively.) -
Supports parallel execution of tasks.
Library home page: https://rubygems.org/gems/rake-10.2.2.gem
Path to vulnerable library: /tmp/git/app1/Gemfile.lock,/var/lib/gems/2.5.0/cache/rake-10.2.2.gem
Dependency Hierarchy:
- sass-rails-4.0.3.gem (Root Library)
- railties-4.1.0.gem
- ❌ rake-10.2.2.gem (Vulnerable Library)
- railties-4.1.0.gem
Found in HEAD commit: 9d946faa10e3050193fb56220287f7565773de83
Vulnerability Details
There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character |.
Publish Date: 2020-02-24
URL: CVE-2020-8130
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8130
Release Date: 2020-02-24
Fix Resolution: v12.3.3