Skip to content
/ CVE-2020-8163 Public

CVE-2020-8163 - Remote code execution of user-provided local names in Rails

62 stars 12 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

lucasallan/CVE-2020-8163

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
testapp
testapp
 
 
README.md
README.md
 
 
exploit.rb
exploit.rb
 
 
metasploit.rb
metasploit.rb
 
 

Repository files navigation

CVE-2020-8163

CVE-2020-8163 - Remote code execution of user-provided local names in Rails

Remote code execution of user-provided local names in Rails < 5.0.1

There was a vulnerability in versions of Rails prior to 5.0.1 that would allow an attacker who controlled the locals argument of a render call.

This vulnerability has been assigned the CVE identifier CVE-2020-8163.

Versions Affected: rails < 5.0.1 Not affected: Applications that do not allow users to control the names of locals. Fixed Versions: 4.2.11.2

Vulnerable app:

I've included a vulnerable app that can be used for testing purposes. The vulnerable endpoint is: main/index

About

CVE-2020-8163 - Remote code execution of user-provided local names in Rails

Resources

Readme
Activity

Stars

62 stars

Watchers

2 watching

Forks

12 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages