Skip to content

OS Command Injection in Rake

Moderate severity GitHub Reviewed Published Feb 28, 2020 to the GitHub Advisory Database • Updated Aug 29, 2023

Package

bundler rake (RubyGems)

Affected versions

<= 12.3.2

Patched versions

12.3.3

Description

There is an OS command injection vulnerability in Ruby Rake before 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character |.

References

Reviewed Feb 25, 2020
Published to the GitHub Advisory Database Feb 28, 2020
Last updated Aug 29, 2023

Severity

Moderate
6.4
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
High
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2020-8130

GHSA ID

GHSA-jppv-gw3r-w3q8

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.