vulnerability

FreeBSD: VID-85FCA718-99F6-11EA-BF1D-08002728F74C (CVE-2020-8166): Rails -- multiple vulnerabilities

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:M/Au:N/C:N/I:P/A:N)	May 18, 2020	May 20, 2020	Oct 20, 2020

Severity

CVSS

(AV:N/AC:M/Au:N/C:N/I:P/A:N)

Published

May 18, 2020

Added

May 20, 2020

Modified

Oct 20, 2020

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From VID-85FCA718-99F6-11EA-BF1D-08002728F74C:

Ruby on Rails blog:

Hi everyone! Rails 5.2.4.3 and 6.0.3.1 have been released! These releases contain important security fixes, so please upgrade when you can.

Both releases contain the following fixes:

CVE-2020-8162: Circumvention of file size limits in ActiveStorage

CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack

CVE-2020-8165: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore

CVE-2020-8166: Ability to forge per-form CSRF tokens given a global CSRF token

CVE-2020-8167: CSRF Vulnerability in rails-ujs

Solution(s)

freebsd-upgrade-package-rubygem-actionpack52freebsd-upgrade-package-rubygem-actionpack60freebsd-upgrade-package-rubygem-actionview52freebsd-upgrade-package-rubygem-actionview60freebsd-upgrade-package-rubygem-activestorage52freebsd-upgrade-package-rubygem-activestorage60freebsd-upgrade-package-rubygem-activesupport52freebsd-upgrade-package-rubygem-activesupport60

References

NVD-CVE-2020-8166

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today