CVE-2020-8130

Public on 2020-02-24

Modified on 2020-06-26

Description

There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`.

Severity

Medium

See what this means

CVSS v3 Base Score

6.4

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 1	rubygem-rake	2020-06-23 06:05	ALAS-2020-1384
Amazon Linux 1	rubygem24-rake	2020-06-23 06:06	ALAS-2020-1385

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	6.4	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
NVD	CVSSv2	6.9	AV:L/AC:M/Au:N/C:C/I:C/A:C
NVD	CVSSv3	6.4	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

References

Red Hat: CVE-2020-8130 Mitre: CVE-2020-8130 FAQs regarding Amazon Linux ALAS/CVE Severity