CVE-2020-8163 – This is a remote code execution vulnerability i... (How to Fix)

Q: What is the severity of CVE-2020-8163?

CVE-2020-8163 has a CVSS score of 8.8 (HIGH). This is a remote code execution vulnerability in Ruby on Rails that allows attackers to execute arbitrary code on vulnerable systems. It affects applications using Rails versions before 5.0.1 where user input can reach the 'locals' parameter in render calls.

📋 TL;DR

This is a remote code execution vulnerability in Ruby on Rails that allows attackers to execute arbitrary code on vulnerable systems. It affects applications using Rails versions before 5.0.1 where user input can reach the 'locals' parameter in render calls.

💻 Affected Systems

Products:

Ruby on Rails

Versions: All versions prior to 5.0.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using render calls with user-controlled locals parameters.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Rails by Rubyonrails

View all CVEs affecting Rails →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attacker to execute arbitrary commands, access sensitive data, and pivot to other systems.

🟠

Likely Case

Application compromise leading to data theft, defacement, or lateral movement within the network.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are in place, but still potentially serious.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit PoCs available, including on Packet Storm and HackerOne.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.1 or later

Vendor Advisory: https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0

Restart Required: Yes

Instructions:

1. Update Gemfile to specify 'gem "rails", ">= 5.0.1"' 2. Run 'bundle update rails' 3. Restart application server

🔧 Temporary Workarounds

Input validation for render locals

all

Validate and sanitize all user input before passing to render calls

🧯 If You Can't Patch

Implement strict input validation for all parameters passed to render calls
Use WAF rules to block suspicious render parameter patterns

🔍 How to Verify

Check if Vulnerable:

Check Rails version with 'rails --version' or examine Gemfile.lock for rails version

Check Version:

rails --version

Verify Fix Applied:

Confirm Rails version is 5.0.1 or higher and test render functionality with controlled inputs

📡 Detection & Monitoring

Log Indicators:

Unusual render calls with complex locals parameters
Errors from render calls with unexpected input

Network Indicators:

HTTP requests with suspicious parameter names containing render locals

SIEM Query:

source="rails.log" AND ("render" AND "locals" AND ("eval" OR "system" OR "exec"))

📊 Metadata

CVE ID: CVE-2020-8163

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: July 2, 2020

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/158604/Ruby-On-Rails-5.0.1-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0 Mailing List,Patch,Third Party Advisory
https://hackerone.com/reports/304805 Permissions Required,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html Mailing List,Third Party Advisory
http://packetstormsecurity.com/files/158604/Ruby-On-Rails-5.0.1-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0 Mailing List,Patch,Third Party Advisory
https://hackerone.com/reports/304805 Permissions Required,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-8163, you might also want to check these: