漏洞信息详情
Ruby Rake 操作系统命令注入漏洞
- CNNVD编号:CNNVD-202002-1102 <!--
- 危害等级: 中危-->
- 危害等级: 中危
- CVE编号: CVE-2020-8130
- 漏洞类型: 操作系统命令注入
- 发布时间: 2020-02-24
- 威胁类型: 本地
- 更新时间: 2021-11-18
- 厂 商:
- 漏洞来源: Ubuntu
-
漏洞简介
Ruby是松本行弘软件开发者的一种跨平台、面向对象的动态类型编程语言。
Ruby Rake 12.3.3之前版本中的Rake::FileList存在操作系统命令注入漏洞。远程攻击者可借助以管道字符“ |”开头的文件名利用该漏洞在系统上执行任意命令。
漏洞公告
目前厂商已发布升级补丁以修复漏洞,详情请关注厂商主页:
https://github.com/ruby/rake
参考网址
来源:UBUNTU
链接:https://usn.ubuntu.com/4295-1/
来源:SUSE
链接:http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html
来源:FEDORA
链接:https://lists.fedoraproject.org/archives/list/[email protected]/message/VXMX4ARNX2JLRJMSH4N3J3UBMUT5CI44/
来源:MLIST
链接:https://lists.debian.org/debian-lts-announce/2020/02/msg00026.html
来源:FEDORA
链接:https://lists.fedoraproject.org/archives/list/[email protected]/message/523CLQ62VRN3VVC52KMPTROCCKY4Z36B/
来源:MISC
链接:https://hackerone.com/reports/651518
来源:vigilance.fr
链接:https://vigilance.fr/vulnerability/Ruby-Rake-code-execution-via-Rake-FileList-Command-Injection-31691
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2020.0783/
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2020.1016/
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2020.1405/
来源:nvd.nist.gov
链接:https://nvd.nist.gov/vuln/detail/CVE-2020-8130
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2021.3919
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2020.0701/
来源:packetstormsecurity.com
链接:https://packetstormsecurity.com/files/156616/Ubuntu-Security-Notice-USN-4295-1.html
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2020.1638/
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2020.1878/
来源:packetstormsecurity.com
链接:https://packetstormsecurity.com/files/164991/Red-Hat-Security-Advisory-2021-4702-01.html
受影响实体
暂无
补丁
- Ruby Rake 操作系统命令注入漏洞的修复措施<!--2020-2-24-->
还没有评论,来说两句吧...