CVE-2020-8130
OS command injection vulnerability in rake (RubyGems)
What is CVE-2020-8130 About?
This OS command injection vulnerability in Ruby Rake before 12.3.3 allows arbitrary command execution. By supplying a filename that begins with a pipe character (`|`) to `Rake::FileList`, an attacker can inject and execute system commands, making it relatively easy to exploit. The significant impact is full system compromise.
Affected Software
Technical Details
The vulnerability exists in Rake::FileList within Ruby Rake versions prior to 12.3.3. Rake::FileList is designed to handle file paths. However, if a filename argument supplied to Rake::FileList begins with a pipe character (|), Rake improperly interprets this as a shell command rather than a literal filename. This allows an attacker to inject arbitrary operating system commands following the pipe character. When Rake subsequently processes or executes operations on this 'filename', the injected command is executed on the underlying system with the privileges of the Rake process. This mechanism bypasses intended file handling, leading directly to remote code execution.
What is the Impact of CVE-2020-8130?
Successful exploitation may allow attackers to execute arbitrary operating system commands on the server, leading to full system compromise, data theft, and defacement.
What is the Exploitability of CVE-2020-8130?
Exploitation requires the ability to provide specially crafted input, specifically a filename starting with a pipe character, to a Rake::FileList instance in a vulnerable Rake application. This could occur through various attack vectors such as manipulated input fields in a web application if it processes filenames via Rake, or through direct interaction with a Rake task. Authentication and privileges would depend on how the vulnerable Rake functionality is exposed; if it's via a web interface, it could be remote and unauthenticated, otherwise, it might require local access or authenticated remote access. The complexity is moderate, requiring knowledge of the affected Rake component and an input vector. The risk factors include any scenario where user-supplied input is directly or indirectly passed to Rake::FileList.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-8130?
Available Upgrade Options
- rake
- <12.3.3 → Upgrade to 12.3.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://hackerone.com/reports/651518
- https://lists.debian.org/debian-lts-announce/2020/02/msg00026.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXMX4ARNX2JLRJMSH4N3J3UBMUT5CI44/
- https://usn.ubuntu.com/4295-1/
- https://github.com/ruby/rake
- https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rake/CVE-2020-8130.yml
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/523CLQ62VRN3VVC52KMPTROCCKY4Z36B/
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html
What are Similar Vulnerabilities to CVE-2020-8130?
Similar Vulnerabilities: CVE-2023-38035 , CVE-2022-24348 , CVE-2021-4112 , CVE-2019-1002005 , CVE-2017-1000250
