CVE-2020-8165 — Vulnetix

Try Vulnetix Request Demo

CVE-2020-8165 PUBLISHED

A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.

EPSS 90.13% · 99.6th percentile

Risk Scores

EPSS Score

90.13%

99.6th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:Pro:20.04:LTS	rails	0, 2:5.2.3+dfsg-3ubuntu0.1~esm1, 2:5.2.3+dfsg-3
Ubuntu:Pro:18.04:LTS	rails	2:4.2.9-2, 0, 2:4.2.9-4
Ubuntu:Pro:16.04:LTS	rails	2:4.2.5.2-2, 2:4.2.5.1-1, 2:4.2.5-1

Timeline

CVE Published
May 26, 2020 PoC Published
Apr 14, 2021 EPSS Score
Feb 4, 2022 EPSS Score
Mar 7, 2023 EPSS Score
Mar 19, 2023 EPSS Score
May 10, 2024 EPSS Score
Dec 17, 2024 EPSS Score
Mar 17, 2025 EPSS Score
May 1, 2025 EPSS Score
May 4, 2025 EPSS Score
Jun 1, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2020-8165 third-party-advisory
https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released third-party-advisory
https://github.com/rails/rails/commit/f7e077f85e61fc0b7381963eda0ceb0e457546b5 third-party-advisory
https://github.com/rails/rails/commit/467e3399c9007996c03ffe3212689d48dd25ae99 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2020-8165 third-party-advisory

Open in Interactive Console →