VDB
CVE-2020-8163
CVE-2020-8163
PUBLISHED
The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.
EPSS 91.07% · 99.7th percentile
Risk Scores
EPSS Score
91.07%
99.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:24.04:LTS | rails | 0, 2:6.1.7.3+dfsg-3, 2:6.1.7.3+dfsg-2build1 |
| Ubuntu:Pro:20.04:LTS | rails | *, 0, 2:5.2.3+dfsg-3 |
| Ubuntu:Pro:16.04:LTS | rails | *, 0, 2:4.1.10-1 |
| Ubuntu:Pro:18.04:LTS | rails | *, 2:4.2.10-0ubuntu4, 2:4.2.10-0ubuntu4+esm1 |
| Ubuntu:25.10 | rails | 0, *, * |
| Ubuntu:Pro:22.04:LTS | rails | 0, 2:6.1.4.1+dfsg-8ubuntu2+esm1, 2:6.0.3.7+dfsg-2 |
Timeline
- Jul 2, 2020 CVE Published
- Jul 27, 2020 PoC Published
- Apr 14, 2021 EPSS Score
- Feb 4, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- Nov 21, 2024 CVE Updated
- Mar 27, 2025 EPSS Score
- Mar 29, 2025 EPSS Score
- Mar 30, 2025 EPSS Score
- May 1, 2025 EPSS Score
- May 4, 2025 EPSS Score
- May 25, 2025 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-8163 third-party-advisory
- https://weblog.rubyonrails.org/2020/5/16/rails-4-2-11-3-has-been-released/ third-party-advisory
- https://github.com/rails/rails/commit/4c46a15e0a7815ca9e4cd7c7fda042eb8c1b7724 third-party-advisory
- https://github.com/rails/rails/commit/1f3db0ad793441a0c00e85d56228fc80aafbe6c1 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-8163 third-party-advisory