Platform
ruby
Component
actionpack-page_caching
Fixed in
1.2.2
1.2.1
CVE-2020-8159 is a critical vulnerability affecting the actionpack-page_caching Ruby gem. This flaw allows attackers to write arbitrary files to a web server, potentially enabling remote code execution. The vulnerability impacts versions of the gem equal to or less than 1.2.0. A fix is available in version 1.2.1.
The core of this vulnerability lies in the gem's page caching mechanism. An attacker can craft malicious requests that exploit this mechanism to write files to the web server's file system. If the attacker can successfully write unescaped ERB code to a view file, they can then trigger the execution of arbitrary code when a user views that page. This represents a significant risk of remote code execution, allowing an attacker to gain control of the web server and potentially compromise sensitive data or the entire system. The potential for code execution makes this a high-impact vulnerability.
CVE-2020-8159 was publicly disclosed on May 13, 2020. While no active exploitation campaigns have been definitively linked to this CVE, the ease of exploitation and the potential for remote code execution make it a high-priority target. The vulnerability's impact is comparable to other file access vulnerabilities that have led to server compromise. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
5.42% (90% percentile)
CVSS Vector
The primary mitigation for CVE-2020-8159 is to upgrade the actionpack-page_caching gem to version 1.2.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling page caching functionality. Implement strict file access controls on the web server to limit write access to only authorized directories. Monitor web server logs for suspicious file creation activity, particularly in directories where view files are stored. Consider using a Web Application Firewall (WAF) to filter requests that attempt to write files to the server.
Update the actionpack_page-caching gem to version 1.2.1 or higher. This can be done by modifying your Rails application's Gemfile and running `bundle update actionpack_page-caching`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-8159 is a critical vulnerability in the actionpack-page_caching gem allowing attackers to write arbitrary files, potentially leading to remote code execution. It affects versions <=1.2.0 and has a CVSS score of 9.8.
You are affected if your Ruby application uses the actionpack-page_caching gem in version 1.2.0 or earlier. Check your gem dependencies to determine if you are vulnerable.
Upgrade the actionpack-page_caching gem to version 1.2.1 or later. If upgrading is not possible immediately, disable page caching and implement stricter file access controls.
While no confirmed active exploitation campaigns have been publicly reported, the vulnerability's severity and ease of exploitation make it a potential target.
Refer to the RubySec advisory for detailed information: https://www.rubysec.com/2020-05-13-actionpack-page-caching-gem-arbitrary-file-access
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.