rake-10.5.0.gem: 1 vulnerabilities (highest severity is: 6.4) #8
Description
Vulnerable Library - rake-10.5.0.gem
Rake is a Make-like program implemented in Ruby. Tasks and dependencies are specified in standard Ruby syntax.
Rake has the following features:
-
Rakefiles (rake's version of Makefiles) are completely defined in
standard Ruby syntax. No XML files to edit. No quirky Makefile
syntax to worry about (is that a tab or a space?) -
Users can specify tasks with prerequisites.
-
Rake supports rule patterns to synthesize implicit tasks.
-
Flexible FileLists that act like arrays but know about manipulating
file names and paths. -
A library of prepackaged tasks to make building rakefiles easier. For example,
tasks for building tarballs and publishing to FTP or SSH sites. (Formerly
tasks for building RDoc and Gems were included in rake but they're now
available in RDoc and RubyGems respectively.) -
Supports parallel execution of tasks.
Library home page: https://rubygems.org/gems/rake-10.5.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /Gemfile.lock
Found in HEAD commit: f50839884cfe536c10162aa8c629feb6516e7ba7
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (rake version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2020-8130 |  Medium |
6.4 | rake-10.5.0.gem | Direct | v12.3.3 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-8130
Vulnerable Library - rake-10.5.0.gem
Rake is a Make-like program implemented in Ruby. Tasks and dependencies are specified in standard Ruby syntax.
Rake has the following features:
-
Rakefiles (rake's version of Makefiles) are completely defined in
standard Ruby syntax. No XML files to edit. No quirky Makefile
syntax to worry about (is that a tab or a space?) -
Users can specify tasks with prerequisites.
-
Rake supports rule patterns to synthesize implicit tasks.
-
Flexible FileLists that act like arrays but know about manipulating
file names and paths. -
A library of prepackaged tasks to make building rakefiles easier. For example,
tasks for building tarballs and publishing to FTP or SSH sites. (Formerly
tasks for building RDoc and Gems were included in rake but they're now
available in RDoc and RubyGems respectively.) -
Supports parallel execution of tasks.
Library home page: https://rubygems.org/gems/rake-10.5.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /Gemfile.lock
Dependency Hierarchy:
- ❌ rake-10.5.0.gem (Vulnerable Library)
Found in HEAD commit: f50839884cfe536c10162aa8c629feb6516e7ba7
Found in base branch: develop
Vulnerability Details
There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character |.
Publish Date: 2020-02-24
URL: CVE-2020-8130
CVSS 3 Score Details (6.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8130
Release Date: 2020-02-24
Fix Resolution: v12.3.3
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.