https://github.com/lucasallan/CVE-2020-8163

CVE-2020-8163 - Remote code execution of user-provided local names in Rails
https://github.com/lucasallan/CVE-2020-8163

Last synced: 4 months ago
JSON representation

CVE-2020-8163 - Remote code execution of user-provided local names in Rails

• Host: GitHub
• URL: https://github.com/lucasallan/CVE-2020-8163
• Owner: lucasallan
• Created: 2020-06-19T21:03:05.000Z (over 5 years ago)
• Default Branch: master
• Last Pushed: 2022-12-14T11:37:43.000Z (almost 3 years ago)
• Last Synced: 2025-04-13T13:35:45.694Z (7 months ago)
• Language: Ruby
• Size: 29.3 KB
• Stars: 61
• Watchers: 2
• Forks: 12
• Open Issues: 6
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-hacking-lists - lucasallan/CVE-2020-8163 - CVE-2020-8163 - Remote code execution of user-provided local names in Rails (Ruby)

README

          
# CVE-2020-8163

CVE-2020-8163 - Remote code execution of user-provided local names in Rails

Remote code execution of user-provided local names in Rails < 5.0.1

There was a vulnerability in versions of Rails prior to 5.0.1 that would

allow an attacker who controlled the `locals` argument of a `render` call.

This vulnerability has been assigned the CVE identifier CVE-2020-8163.

Versions Affected:  rails < 5.0.1

Not affected:       Applications that do not allow users to control the names of locals.

Fixed Versions:     4.2.11.2

### Vulnerable app:

I've included a vulnerable app that can be used for testing purposes. The vulnerable endpoint is: `main/index`