CVE-2020-8159

moderate-risk

Published 2020-05-12

There is a vulnerability in actionpack_page-caching gem < v1.2.1 that allows an attacker to write arbitrary files to a web server, potentially resulting in remote code execution if the attacker can write unescaped ERB to a view.

Do I need to act?

5.4% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: 066693b3e6a0f491179fedc3b4262f32b88a8872

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (2)

Actionpack Page-Caching

Debian Linux

Affected Vendors

Debian Rubyonrails

References (4)

https://groups.google.com/forum/#%21topic/rubyonrails-security/CFRVkEytdP8

Mailing List https://lists.debian.org/debian-lts-announce/2021/07/msg00019.html

https://groups.google.com/forum/#%21topic/rubyonrails-security/CFRVkEytdP8

Mailing List https://lists.debian.org/debian-lts-announce/2021/07/msg00019.html

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 8/34 · Low

Exposure 7/34 · Low