CVE-2020-8163 (actionview): Potential remote code execution of user-provided local names in ActionView

CVE: CVE-2020-8163 ( NVD )
GHSA: GHSA-cr3x-7m39-c6jq
Vendor Advisory: <a href="https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0">https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0

Potential remote code execution of user-provided local names in ActionView

Published: May 15, 2020

CVSS v3.x: 8.8 (High)

>= 4.2.11.2

There was a vulnerability in versions of Rails prior to 5.0.1 that would allow an attacker who controlled the locals argument of a render call.

Versions Affected: rails < 5.0.1 Not affected: Applications that do not allow users to control the names of locals. Fixed Versions: 4.2.11.2

In the scenario where an attacker might be able to control the name of a local passed into render, they can acheive remote code execution.

Until such time as the patch can be applied, application developers should ensure that all user-provided local names are alphanumeric.