Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/lucasallan/CVE-2020-8163
CVE-2020-8163 - Remote code execution of user-provided local names in Rails
https://github.com/lucasallan/CVE-2020-8163
Last synced: about 1 month ago
JSON representation
CVE-2020-8163 - Remote code execution of user-provided local names in Rails
- Host: GitHub
- URL: https://github.com/lucasallan/CVE-2020-8163
- Owner: lucasallan
- Created: 2020-06-19T21:03:05.000Z (about 4 years ago)
- Default Branch: master
- Last Pushed: 2022-12-14T11:37:43.000Z (almost 2 years ago)
- Last Synced: 2024-07-30T14:19:16.422Z (about 2 months ago)
- Language: Ruby
- Size: 29.3 KB
- Stars: 65
- Watchers: 2
- Forks: 12
- Open Issues: 6
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - lucasallan/CVE-2020-8163 - CVE-2020-8163 - Remote code execution of user-provided local names in Rails (Ruby)
README
# CVE-2020-8163
CVE-2020-8163 - Remote code execution of user-provided local names in Rails
Remote code execution of user-provided local names in Rails < 5.0.1
There was a vulnerability in versions of Rails prior to 5.0.1 that would
allow an attacker who controlled the `locals` argument of a `render` call.
This vulnerability has been assigned the CVE identifier CVE-2020-8163.
Versions Affected: rails < 5.0.1
Not affected: Applications that do not allow users to control the names of locals.
Fixed Versions: 4.2.11.2
### Vulnerable app:
I've included a vulnerable app that can be used for testing purposes. The vulnerable endpoint is: `main/index`