Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:
Category:Debian Local Security Checks
Title:Debian LTS: Security Advisory for rails (DLA-2251-1)
Summary:The remote host is missing an update for the 'rails'; package(s) announced via the DLA-2251-1 advisory.
The remote host is missing an update for the 'rails'
package(s) announced via the DLA-2251-1 advisory.

Vulnerability Insight:
Two vulnerabilities were found in Ruby on Rails, a MVC ruby-based
framework geared for web application development, which could lead to
remote code execution and untrusted user input usage, depending on the


Strong parameters bypass vector in ActionPack. In some cases user
supplied information can be inadvertently leaked from Strong
Parameters. Specifically the return value of `each`, or
`each_value`, or `each_pair` will return the underlying
'untrusted' hash of data that was read from the parameters.
Applications that use this return value may be inadvertently use
untrusted user input.


Potentially unintended unmarshalling of user-provided objects in
MemCacheStore. There is potentially unexpected behaviour in the
MemCacheStore where, when untrusted user input is written to the
cache store using the `raw: true` parameter, re-reading the result
from the cache can evaluate the user input as a Marshalled object
instead of plain text. Unmarshalling of untrusted user input can
have impact up to and including RCE. At a minimum, this
vulnerability allows an attacker to inject untrusted Ruby objects
into a web application.

In addition to upgrading to the latest versions of Rails,
developers should ensure that whenever they are calling
`Rails.cache.fetch` they are using consistent values of the `raw`
parameter for both reading and writing.

Affected Software/OS:
'rails' package(s) on Debian Linux.

For Debian 8 'Jessie', these problems have been fixed in version

We recommend that you upgrade your rails packages.

CVSS Score:

CVSS Vector:

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2020-8164
Debian Security Information: DSA-4766 (Google Search)
SuSE Security Announcement: openSUSE-SU-2020:1533 (Google Search)
SuSE Security Announcement: openSUSE-SU-2020:1536 (Google Search)
SuSE Security Announcement: openSUSE-SU-2020:1575 (Google Search)
Common Vulnerability Exposure (CVE) ID: CVE-2020-8165
SuSE Security Announcement: openSUSE-SU-2020:1677 (Google Search)
SuSE Security Announcement: openSUSE-SU-2020:1679 (Google Search)
CopyrightCopyright (C) 2020 Greenbone Networks GmbH

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.

© 1998-2021 E-Soft Inc. All rights reserved.