Ruby on Rails local names command execution

Added: 07/29/2020
CVE: CVE-2020-8163

Background

Ruby on Rails is a web application framework written in Ruby.

Problem

Rails applications that allow users to control the names of local variable are affected by a vulnerability that could allow a remote attacker to execute arbitrary commands.

Resolution

Upgrade to Ruby on Rails 5.0.1 or higher, or configure the application not to allow users to control the names of local variables.

References

https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0?pli=1

Limitations

The path to a web application resource which allows users to control the names of local variables must be specified.

Platforms

Linux

Back to exploit index