PT-2020-19994 · Ruby · Actionpack Page-Caching

Ooooooo_Q

Published

2020-05-12

Updated

2022-04-05

CVE-2020-8159

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions actionpack page-caching gem versions prior to 1.2.1

Description The issue allows an attacker to write arbitrary files to a web server, potentially resulting in remote code execution if the attacker can write unescaped ERB to a view.

Recommendations For actionpack page-caching gem versions prior to 1.2.1, update to version 1.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive areas of the web server to minimize the risk of exploitation.

Exploit

Fix

RCE

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2020-8159

DLA-2719-1

GHSA-MG5P-95M9-RMFP

Affected Products

Actionpack Page-Caching

PT-2020-19994 · Ruby · Actionpack Page-Caching

CVE-2020-8159

Weakness Enumeration

Related Identifiers

Affected Products

References · 13