CVE-2020-8130

CVSS v2.0

6.9

Medium

Vector

AV:L/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Rake versions prior to 12.3.3

Description The issue is related to an OS command injection vulnerability in the Rake::FileList class of the Rake build automation tool. This vulnerability arises from the failure to neutralize special elements used in operating system commands. Exploitation of this issue can allow an attacker to execute arbitrary commands. The vulnerability is triggered when a filename starting with the pipe character | is supplied.

Recommendations For versions prior to 12.3.3, update to version 12.3.3 or later to resolve the issue. As a temporary workaround, consider avoiding the use of filenames that begin with the pipe character | in the Rake::FileList class until a patch is applied. Restrict access to the Rake::FileList class to minimize the risk of exploitation.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

BDU:2020-05763

CVE-2020-8130

DLA-2120-1

GHSA-JPPV-GW3R-W3Q8

MGASA-2020-0121

OPENSUSE-SU-2020:0395-1

OPENSUSE-SU-2020_0395-1

RHSA-2021:4702

SUSE-SU-2020:0737-1

SUSE-SU-2022:3212-1

SUSE-SU-2022_3212-1

USN-4295-1

Affected Products

Rake

Suse

Ubuntu

CVE-2020-8130

Weakness Enumeration

Related Identifiers

Affected Products

References · 55