Information Exposure

Affecting actionpack gem, versions <5.2.4.3 || >=6.0.0, <6.0.3.1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

Affected versions of this package are vulnerable to Information Exposure by Bypassing Strong Parameters. Specifically the return value of each, or each_value, or each_pair will return the underlying "untrusted" hash of data that was read from the parameters.

Remediation

Upgrade actionpack to version 5.2.4.3, 6.0.3.1 or higher.

References

CVSS Score

6.5
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Credit
Unknown
CVE
CVE-2020-8164
CWE
CWE-200
Snyk ID
SNYK-RUBY-ACTIONPACK-569600
Disclosed
19 May, 2020
Published
19 May, 2020