#VU25721 OS Command Injection in Rake - CVE-2020-8130

Cybersecurity Help s.r.o.

Published: 2020-03-02

Vulnerability identifier: #VU25721

Vulnerability risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-8130

CWE-ID: CWE-78

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Rake
Web applications / Modules and components for CMS

Vendor: Ruby

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in "Rake::FileList" when supplying a filename that begins with the pipe character "|". A remote unauthenticated attacker can execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Rake: 12.0.0 - 12.3.2

External links
https://hackerone.com/reports/651518
https://lists.debian.org/debian-lts-announce/2020/02/msg00026.html
https://snyk.io/vuln/SNYK-RUBY-RAKE-552000

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

SUSE update for rubygem-rake

Amazon Linux AMI update for rubygem24-rake

Amazon Linux AMI update for rubygem-rake

GitLab security update for Ruby

Fedora 30 update for rubygem-rake

Fedora 31 update for rubygem-rake

OpenSUSE update for ruby

OS Command Injection in rake program in Ruby