---
gem: actionview
framework: rails
cve: 2020-8163
date: 2020-05-15
url: https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0
title: Potential remote code execution of user-provided local names in ActionView
description: |
  There was a vulnerability in versions of Rails prior to 5.0.1 that would
  allow an attacker who controlled the `locals` argument of a `render` call.

  Versions Affected:  rails < 5.0.1
  Not affected:       Applications that do not allow users to control the names of locals.
  Fixed Versions:     4.2.11.2

  Impact
  ------

  In the scenario where an attacker might be able to control the name of a
  local passed into `render`, they can acheive remote code execution.

  Workarounds
  -----------

  Until such time as the patch can be applied, application developers should
  ensure that all user-provided local names are alphanumeric.

patched_versions:
  - ">= 4.2.11.2"