CVE-2020-8163 (High) detected in actionview-4.2.11.gem

[mend-bolt-for-github]

CVE-2020-8163 - High Severity Vulnerability

Vulnerable Library - actionview-4.2.11.gem

Simple, battle-tested conventions and helpers for building web pages.

Library home page: https://rubygems.org/gems/actionview-4.2.11.gem

Dependency Hierarchy:

• sass-rails-5.0.7.gem (Root Library)
  • sprockets-rails-2.3.3.gem
    • actionpack-4.2.11.gem
      • ❌ actionview-4.2.11.gem (Vulnerable Library)

Found in HEAD commit: 6942614fdaa22f54c101995c996e72ea6f6c9553

Found in base branch: master

Vulnerability Details

The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the locals argument of a render call to perform a RCE.

Publish Date: 2020-07-02

URL: CVE-2020-8163

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://rubygems.org/gems/actionview/versions/5.0.1

Release Date: 2020-06-01

Fix Resolution: 5.0.1

---

Step up your Open Source Security Game with WhiteSource here