CVE-2020-8165
Potentially unexpected behaviour vulnerability in activesupport (RubyGems)
What is CVE-2020-8165 About?
This vulnerability in ActiveSupport's MemCacheStore and RedisCacheStore allows untrusted user input stored with `raw: true` to be re-evaluated as a Marshalled object instead of plain text upon retrieval. This can lead to remote code execution (RCE) or injection of untrusted Ruby objects. Exploitation requires specific caching configurations and untrusted input, making it moderately complex.
Affected Software
- activesupport
- >=5.0.0, <5.2.4.3
- >=6.0.0, <6.0.3.1
Technical Details
The vulnerability arises when an application uses ActiveSupport's MemCacheStore or RedisCacheStore to cache untrusted user input with the raw: true option. Normally, raw: true is intended to store data as plain text. However, due to a deserialization inconsistency, especially prominent in RedisCacheStore prior to fixes, re-reading this raw data can cause the application to attempt to unmarshal (deserialize) the user input as a Ruby Marshalled object. If the untrusted input is crafted as a valid Marshalled object embedding malicious Ruby code, this unmarshalling process can lead to object injection, arbitrary code execution, or other severe impacts. The attack vector involves an attacker providing specially crafted input that gets stored 'raw' and later retrieved, triggering the malicious deserialization.
What is the Impact of CVE-2020-8165?
Successful exploitation may allow attackers to execute arbitrary code, inject untrusted objects, or manipulate application logic through deserialization of malicious data.
What is the Exploitability of CVE-2020-8165?
Exploitation complexity is moderate, requiring specific conditions. Prerequisites include the use of MemCacheStore or RedisCacheStore in ActiveSupport, caching untrusted user input, and the use of the raw: true parameter during storage. No explicit authentication or high privilege is required to provide the untrusted input if the application accepts it. This is a remote vulnerability, as the untrusted input typically originates from an external source. Special conditions involve the inconsistent handling of 'raw' data upon retrieval, particularly in RedisCacheStore before the fixes. Risk factors are increased when applications store any user-provided data directly into the cache with raw: true without prior sanitization or validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| masahiro331 | Link | PoC for CVE-2020-8165 |
| hybryx | Link | PoC for CVE-2020-8165 |
| danielklim | Link | PoC for CVE-2020-8165 |
What are the Available Fixes for CVE-2020-8165?
Available Upgrade Options
- activesupport
- >=5.0.0, <5.2.4.3 → Upgrade to 5.2.4.3
- activesupport
- >=6.0.0, <6.0.3.1 → Upgrade to 6.0.3.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
- https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
- https://hackerone.com/reports/413388
- https://hackerone.com/reports/413388
- https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released/
- https://security.netapp.com/advisory/ntap-20250509-0002
- https://www.debian.org/security/2020/dsa-4766
- https://www.debian.org/security/2020/dsa-4766
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-8165
What are Similar Vulnerabilities to CVE-2020-8165?
Similar Vulnerabilities: CVE-2020-8164 , CVE-2019-15849 , CVE-2018-3746 , CVE-2017-0831 , CVE-2016-0752
