CVE-2020-8185Uncontrolled Resource Consumption in Rails

CWE-400Uncontrolled Resource ConsumptionCWE-250Execution with Unnecessary Privileges9 documents7 sources
Severity
6.5MEDIUMNVD
EPSS
0.7%
top 28.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Rubyonrails RailsActionpack Project ActionpackHttps Github.com Rails Rails+1 more
Timeline
PublishedJul 2

Description

A denial of service vulnerability exists in Rails <6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

NVDrubyonrails/rails6.0.06.0.3.2
CVEListV5https/github.com_rails_railsFixed in 6.0.3.2
RubyGemsactionpack_project/actionpack6.0.06.0.3.2

Also affects: Fedora 33

Patches

Patch: groups.google.comPatch: groups.google.com

🔴Vulnerability Details

4
CVEList
CVE-2020-8185: A denial of service vulnerability exists in Rails <62020-07-02
OSV
CVE-2020-8185: A denial of service vulnerability exists in Rails <62020-07-02
OSV
Untrusted users can run pending migrations in production in Rails2020-06-24
GHSA
Untrusted users can run pending migrations in production in Rails2020-06-24

📋Vendor Advisories

2
Red Hat
rubygem-rails: untrusted users able to run pending migrations in production2020-06-17
Debian
CVE-2020-8185: rails - A denial of service vulnerability exists in Rails <6.0.3.2 that allowed an untru...2020

💬Community

2
Bugzilla
CVE-2020-8185 rubygem-rails: untrusted users able to run pending migrations in production2020-06-30
Bugzilla
CVE-2020-8185 rubygem-rails: untrusted users able to run pending migrations in production [fedora-all]2020-06-30
CVE-2020-8185 — Uncontrolled Resource Consumption | cvebase