CVE-2020-8164

A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.

Link	Resource
https://hackerone.com/reports/292797	Exploit Patch
https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY	Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html	Mailing List Third Party Advisory
https://www.debian.org/security/2020/dsa-4766	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html	Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html	Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html	Mailing List Third Party Advisory

Configuration 1

cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:* cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:* cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:* cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*

---

Published : 2020-06-19 05:15

Updated : 2022-05-24 04:44

---

NVD link : CVE-2020-8164

Mitre link : CVE-2020-8164

Rails

Rubyonrails

CWE-502

Deserialization of Untrusted Data