CVE-2020-8165

Name of the Vulnerable Software and Affected Versions Ruby on Rails versions prior to 5.2.4.3 Ruby on Rails versions prior to 6.0.3.1

Description The issue is related to the deserialization of untrusted data in the MemCacheStore and RedisCacheStore components of Ruby on Rails. This can allow an attacker to potentially execute remote code, access confidential data, and disrupt data integrity. The vulnerability occurs when untrusted user input is written to the cache store using the raw: true parameter, and then re-reading the result from the cache can evaluate the user input as a Marshalled object instead of plain text. The estimated impact of this issue can range from injecting untrusted Ruby objects into a web application to remote code execution.

Recommendations For Ruby on Rails versions prior to 5.2.4.3, update to version 5.2.4.3 or later. For Ruby on Rails versions prior to 6.0.3.1, update to version 6.0.3.1 or later. As a temporary workaround, ensure that all user-provided strings cached using the raw argument are double-checked to ensure they conform to the expected format. Consider applying the suggested patch as soon as possible if an update is not feasible.