RubygemsResearch

Sha256: 2b973e45cfe1176946fc16c6d72c499473c46dbf46d6312cc3f45d8f72ef855a

Contents?: true

Size: 926 Bytes

Versions: 1

Compression:

Stored size: 926 Bytes

---
gem: actionview
framework: rails
cve: 2020-8163
date: 2020-05-15
url: https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0
title: Potential remote code execution of user-provided local names in ActionView
description: |
  There was a vulnerability in versions of Rails prior to 5.0.1 that would
  allow an attacker who controlled the `locals` argument of a `render` call.

  Versions Affected:  rails < 5.0.1
  Not affected:       Applications that do not allow users to control the names of locals.
  Fixed Versions:     4.2.11.2

  Impact
  ------

  In the scenario where an attacker might be able to control the name of a
  local passed into `render`, they can acheive remote code execution.

  Workarounds
  -----------

  Until such time as the patch can be applied, application developers should
  ensure that all user-provided local names are alphanumeric.

patched_versions:
  - ">= 4.2.11.2"

Version data entries

1 entries across 1 versions & 1 rubygems

Version	Path
bundler-audit-0.7.0.1	data/ruby-advisory-db/gems/actionview/CVE-2020-8163.yml