CVE-2020-8165

9.8
9.8 / 10
CRITICAL

A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.

Weakness: Deserialization of Untrusted Data

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Published: 2020-06-19

Vulnerable Products

Community Advisory

This section is open source, for any additional information that enhances or clarifies the official advisory above.

Improve Advisory

CVE-2020-8165 Exploits (9)

Bug Bounty

Ruby on Rails: Untrusted strings that are cache fetched with raw option are automatically marshal loaded

submitted by dylan-ts over 2 years ago
publicly disclosed 9 months ago

Official CVE References

View references (8)