rake-10.0.3.gem: 1 vulnerabilities (highest severity is: 6.4) #4
Description
Vulnerable Library - rake-10.0.3.gem
Rake is a Make-like program implemented in Ruby. Tasks and dependencies arespecified in standard Ruby syntax.
Library home page: https://rubygems.org/gems/rake-10.0.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rake-10.0.3.gem
Found in HEAD commit: b796a1fef53fffdf990be54f950a21eac4ad72d0
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (rake version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2020-8130 |  Medium |
6.4 | rake-10.0.3.gem | Direct | v12.3.3 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-8130
Vulnerable Library - rake-10.0.3.gem
Rake is a Make-like program implemented in Ruby. Tasks and dependencies arespecified in standard Ruby syntax.
Library home page: https://rubygems.org/gems/rake-10.0.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rake-10.0.3.gem
Dependency Hierarchy:
- ❌ rake-10.0.3.gem (Vulnerable Library)
Found in HEAD commit: b796a1fef53fffdf990be54f950a21eac4ad72d0
Found in base branch: master
Vulnerability Details
There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character |.
Publish Date: 2020-02-24
URL: CVE-2020-8130
CVSS 3 Score Details (6.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8130
Release Date: 2020-06-30
Fix Resolution: v12.3.3
Step up your Open Source Security Game with Mend here