Vulnerability-Lookup

BDU:2025-08594

Vulnerability from fstec - Published: 02.07.2020

Title

Уязвимость программной платформы Ruby on Rails, связанная с неправильной авторизацией, позволяющая нарушителю вызвать отказ в обслуживании

Description

Уязвимость программной платформы Ruby on Rails связана с неправильной авторизацией. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, вызвать отказ в обслуживании

Severity ?


                    
                      AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Vendor

Novell Inc., Rails Core Team, Сообщество свободного программного обеспечения, ООО «Ред Софт», Red Hat Inc.

Software Name

OpenSUSE Leap, SUSE Linux Enterprise Server for SAP Applications, SUSE Linux Enterprise Module for Server Applications, SUSE Linux Enterprise Module for Public Cloud, SUSE Enterprise Storage, SUSE Linux Enterprise High Performance Computing, Suse Linux Enterprise Server, openSUSE Tumbleweed, SUSE Manager Proxy, SUSE Manager Retail Branch Server, SUSE Manager Server, Ruby on Rails, Debian GNU/Linux, РЕД ОС (запись в едином реестре российских программ №3751), Red Hat Satellite

Software Version

15.1 (OpenSUSE Leap), 15 (SUSE Linux Enterprise Server for SAP Applications), 15 SP1 (SUSE Linux Enterprise Server for SAP Applications), 15 SP1 (SUSE Linux Enterprise Module for Server Applications), 15 SP1 (SUSE Linux Enterprise Module for Public Cloud), 6 (SUSE Enterprise Storage), 15-ESPOS (SUSE Linux Enterprise High Performance Computing), 15-LTSS (SUSE Linux Enterprise High Performance Computing), 15-LTSS (Suse Linux Enterprise Server), - (openSUSE Tumbleweed), 15 SP2 (SUSE Linux Enterprise Module for Server Applications), 15.2 (OpenSUSE Leap), 15 SP2 (SUSE Linux Enterprise Module for Public Cloud), 4.0 (SUSE Manager Proxy), 4.0 (SUSE Manager Retail Branch Server), 4.0 (SUSE Manager Server), до 5.2.4.3 (Ruby on Rails), от 6.0.0 до 6.0.3.1 (Ruby on Rails), 15 SP3 (SUSE Linux Enterprise Module for Server Applications), 15 SP1 (Suse Linux Enterprise Server), 11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 7.3 (РЕД ОС), 15 SP3 (SUSE Linux Enterprise High Performance Computing), 15 SP3 (Suse Linux Enterprise Server), 15 SP3 (SUSE Linux Enterprise Server for SAP Applications), 4.2 (SUSE Manager Proxy), 4.2 (SUSE Manager Server), 7 (SUSE Enterprise Storage), 15 SP2 (Suse Linux Enterprise Server), 15 SP2 (SUSE Linux Enterprise Server for SAP Applications), 4.1 (SUSE Manager Server), 4.1 (SUSE Manager Proxy), 4.1 (SUSE Manager Retail Branch Server), 15 SP4 (Suse Linux Enterprise Server), 15 SP2 (SUSE Linux Enterprise High Performance Computing), 15 SP4 (SUSE Linux Enterprise Server for SAP Applications), 4.2 (SUSE Manager Retail Branch Server), 15 SP3 (SUSE Linux Enterprise Module for Public Cloud), 4.3 (SUSE Manager Retail Branch Server), 4.3 (SUSE Manager Proxy), 4.3 (SUSE Manager Server), 15 SP4 (SUSE Linux Enterprise High Performance Computing), 15 SP4 (SUSE Linux Enterprise Module for Public Cloud), 15 SP4 (SUSE Linux Enterprise Module for Server Applications), 7.1 (SUSE Enterprise Storage), 15 SP1 (SUSE Linux Enterprise High Performance Computing), 15 SP5 (SUSE Linux Enterprise Server for SAP Applications), 15 SP5 (Suse Linux Enterprise Server), 15 SP5 (SUSE Linux Enterprise High Performance Computing), 15 SP5 (SUSE Linux Enterprise Module for Public Cloud), 15 SP6 (Suse Linux Enterprise Server), 15 SP6 (SUSE Linux Enterprise Server for SAP Applications), 15 SP6 (SUSE Linux Enterprise High Performance Computing), 15 SP6 (SUSE Linux Enterprise Module for Public Cloud), 6.9 for RHEL 7 (Red Hat Satellite)

Possible Mitigations

Использование рекомендаций: https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0 Для РедОС: https://redos.red-soft.ru/support/secure/uyazvimosti/mnozhestvennye-uyazvimosti-rubygem-actionpack-cve-2020-8164-cve-2020-8185-cve-2020-8166/?sphrase_id=1076181 Для Debian GNU/Linux: https://security-tracker.debian.org/tracker/CVE-2020-8185 Для программных продуктов Red Hat Inc.: https://access.redhat.com/security/cve/CVE-2020-8185 Для программных продуктов Novell Inc.: https://www.suse.com/security/cve/CVE-2020-8185.html

Reference

https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0 https://redos.red-soft.ru/support/secure/uyazvimosti/mnozhestvennye-uyazvimosti-rubygem-actionpack-cve-2020-8164-cve-2020-8185-cve-2020-8166/?sphrase_id=1076181https://security-tracker.debian.org/tracker/CVE-2020-8185 https://access.redhat.com/security/cve/CVE-2020-8185 https://www.suse.com/security/cve/CVE-2020-8185.html

CWE

CWE-285

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:S/C:N/I:N/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Novell Inc., Rails Core Team, \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, Red Hat Inc.",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "15.1 (OpenSUSE Leap), 15 (SUSE Linux Enterprise Server for SAP Applications), 15 SP1 (SUSE Linux Enterprise Server for SAP Applications), 15 SP1 (SUSE Linux Enterprise Module for Server Applications), 15 SP1 (SUSE Linux Enterprise Module for Public Cloud), 6 (SUSE Enterprise Storage), 15-ESPOS (SUSE Linux Enterprise High Performance Computing), 15-LTSS (SUSE Linux Enterprise High Performance Computing), 15-LTSS (Suse Linux Enterprise Server), - (openSUSE Tumbleweed), 15 SP2 (SUSE Linux Enterprise Module for Server Applications), 15.2 (OpenSUSE Leap), 15 SP2 (SUSE Linux Enterprise Module for Public Cloud), 4.0 (SUSE Manager Proxy), 4.0 (SUSE Manager Retail Branch Server), 4.0 (SUSE Manager Server), \u0434\u043e 5.2.4.3 (Ruby on Rails), \u043e\u0442 6.0.0 \u0434\u043e 6.0.3.1 (Ruby on Rails), 15 SP3 (SUSE Linux Enterprise Module for Server Applications), 15 SP1 (Suse Linux Enterprise Server), 11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 7.3 (\u0420\u0415\u0414 \u041e\u0421), 15 SP3 (SUSE Linux Enterprise High Performance Computing), 15 SP3 (Suse Linux Enterprise Server), 15 SP3 (SUSE Linux Enterprise Server for SAP Applications), 4.2 (SUSE Manager Proxy), 4.2 (SUSE Manager Server), 7 (SUSE Enterprise Storage), 15 SP2 (Suse Linux Enterprise Server), 15 SP2 (SUSE Linux Enterprise Server for SAP Applications), 4.1 (SUSE Manager Server), 4.1 (SUSE Manager Proxy), 4.1 (SUSE Manager Retail Branch Server), 15 SP4 (Suse Linux Enterprise Server), 15 SP2 (SUSE Linux Enterprise High Performance Computing), 15 SP4 (SUSE Linux Enterprise Server for SAP Applications), 4.2 (SUSE Manager Retail Branch Server), 15 SP3 (SUSE Linux Enterprise Module for Public Cloud), 4.3 (SUSE Manager Retail Branch Server), 4.3 (SUSE Manager Proxy), 4.3 (SUSE Manager Server), 15 SP4 (SUSE Linux Enterprise High Performance Computing), 15 SP4 (SUSE Linux Enterprise Module for Public Cloud), 15 SP4 (SUSE Linux Enterprise Module for Server Applications), 7.1 (SUSE Enterprise Storage), 15 SP1 (SUSE Linux Enterprise High Performance Computing), 15 SP5 (SUSE Linux Enterprise Server for SAP Applications), 15 SP5 (Suse Linux Enterprise Server), 15 SP5 (SUSE Linux Enterprise High Performance Computing), 15 SP5 (SUSE Linux Enterprise Module for Public Cloud), 15 SP6 (Suse Linux Enterprise Server), 15 SP6 (SUSE Linux Enterprise Server for SAP Applications), 15 SP6 (SUSE Linux Enterprise High Performance Computing), 15 SP6 (SUSE Linux Enterprise Module for Public Cloud), 6.9 for RHEL 7 (Red Hat Satellite)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421:\nhttps://redos.red-soft.ru/support/secure/uyazvimosti/mnozhestvennye-uyazvimosti-rubygem-actionpack-cve-2020-8164-cve-2020-8185-cve-2020-8166/?sphrase_id=1076181\n\n\u0414\u043b\u044f Debian GNU/Linux:\nhttps://security-tracker.debian.org/tracker/CVE-2020-8185\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/CVE-2020-8185\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Novell Inc.:\nhttps://www.suse.com/security/cve/CVE-2020-8185.html",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "02.07.2020",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "17.07.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "17.07.2025",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2025-08594",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2020-8185",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "OpenSUSE Leap, SUSE Linux Enterprise Server for SAP Applications, SUSE Linux Enterprise Module for Server Applications, SUSE Linux Enterprise Module for Public Cloud, SUSE Enterprise Storage, SUSE Linux Enterprise High Performance Computing, Suse Linux Enterprise Server, openSUSE Tumbleweed, SUSE Manager Proxy, SUSE Manager Retail Branch Server, SUSE Manager Server, Ruby on Rails, Debian GNU/Linux, \u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Red Hat Satellite",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "Novell Inc. OpenSUSE Leap 15.1 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP1 , Novell Inc. Suse Linux Enterprise Server 15-LTSS , Novell Inc. openSUSE Tumbleweed - , Novell Inc. OpenSUSE Leap 15.2 , Novell Inc. Suse Linux Enterprise Server 15 SP1 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 11 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 12 , \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Novell Inc. Suse Linux Enterprise Server 15 SP3 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP3 , Novell Inc. Suse Linux Enterprise Server 15 SP2 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP2 , Novell Inc. Suse Linux Enterprise Server 15 SP4 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP4 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP5 , Novell Inc. Suse Linux Enterprise Server 15 SP5 , Novell Inc. Suse Linux Enterprise Server 15 SP6 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP6 ",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b Ruby on Rails, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e\u0439 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0435\u0439, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430\u044f \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u044f (CWE-285)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b Ruby on Rails \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e\u0439 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0435\u0439. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0\nhttps://redos.red-soft.ru/support/secure/uyazvimosti/mnozhestvennye-uyazvimosti-rubygem-actionpack-cve-2020-8164-cve-2020-8185-cve-2020-8166/?sphrase_id=1076181https://security-tracker.debian.org/tracker/CVE-2020-8185\nhttps://access.redhat.com/security/cve/CVE-2020-8185\nhttps://www.suse.com/security/cve/CVE-2020-8185.html",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-285",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,8)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.1 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,5)"
}

CVE-2020-8185 (GCVE-0-2020-8185)

Vulnerability from cvelistv5 – Published: 2020-07-02 18:35 – Updated: 2024-08-04 09:56

Summary

A denial of service vulnerability exists in Rails <6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production.

Severity ?

No CVSS data available.

CWE

CWE-400 - Denial of Service (CWE-400)

Assigner

hackerone

References

URL

Tags

	https://hackerone.com/reports/899069	x_refsource_MISC
	https://groups.google.com/g/rubyonrails-security/…	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA

Impacted products

	Vendor	Product	Version
	n/a	https://github.com/rails/rails	Affected: Fixed in 6.0.3.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T09:56:28.317Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/899069"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0"
          },
          {
            "name": "FEDORA-2020-4dd34860a3",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "https://github.com/rails/rails",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Fixed in 6.0.3.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A denial of service vulnerability exists in Rails \u003c6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "Denial of Service (CWE-400)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-10-05T01:06:17.000Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/899069"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0"
        },
        {
          "name": "FEDORA-2020-4dd34860a3",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "ID": "CVE-2020-8185",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "https://github.com/rails/rails",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Fixed in 6.0.3.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A denial of service vulnerability exists in Rails \u003c6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Denial of Service (CWE-400)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://hackerone.com/reports/899069",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/899069"
            },
            {
              "name": "https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0",
              "refsource": "MISC",
              "url": "https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0"
            },
            {
              "name": "FEDORA-2020-4dd34860a3",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2020-8185",
    "datePublished": "2020-07-02T18:35:06.000Z",
    "dateReserved": "2020-01-28T00:00:00.000Z",
    "dateUpdated": "2024-08-04T09:56:28.317Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

BDU:2025-08594

CVE-2020-8185 (GCVE-0-2020-8185)

Tags

Sightings

Nomenclature