RubySec

Providing security resources for the Ruby community

CVE-2020-8163 (actionview): Potential remote code execution of user-provided local names in ActionView

ADVISORIES

GEM

actionview

FRAMEWORK

rails

PATCHED VERSIONS

  • >= 4.2.11.2

DESCRIPTION

There was a vulnerability in versions of Rails prior to 5.0.1 that would allow an attacker who controlled the locals argument of a render call.

Versions Affected: rails < 5.0.1 Not affected: Applications that do not allow users to control the names of locals. Fixed Versions: 4.2.11.2

Impact

In the scenario where an attacker might be able to control the name of a local passed into render, they can acheive remote code execution.

Workarounds

Until such time as the patch can be applied, application developers should ensure that all user-provided local names are alphanumeric.