Ruby on Rails – Vulnerabilities of this program

Taking into account that the Ruby on Rails website itself defines it as “a framework for building web applications that access databases”, you can get a clear idea of ​​what Ruby on Rails is for.

Ruby on Rails is free software that can be downloaded and installed for free. There are many uses of Ruby on Rails in a company, we just have to see what it has been used for previously, for example: Twitter, Hulu, etc, and this based on multinationals.

Although it seems very good and everything is fine, this unfortunately as in all applications has had and may have vulnerabilities for which you have to be very careful and we will analyze some of these that were found a while ago.

Vulnerabilities found in Ruby on Rails

▸CVE-2020-8264

With this vulnerability it is possible that when an application runs in development mode and allows an attacker to send or embed (on another page) a specially crafted URL that can allow the attacker to execute JavaScript in the context of the local application counting on a qualification of 6.1 in terms of riskand this was also discovered recently.

▸CVE-2020-8163

This vulnerability can be exploited with network access and requires a small amount of user privileges with a score of 8.8 this is a code injection vulnerability in Rails versions prior to 5.0.1 that would allow an attacker which controlled the locals argument of a render call to perform an RCE.

▸CVE-2020-8165

These vulnerabilities can be exploited with network access and do not require authorization privileges or user interaction. This vulnerability is considered to have low attack complexity. It has the highest possible exploitability rating of 3.9 and the potential impact of an exploitation of this vulnerability is considered critical since this vulnerability has a high impact on confidentiality, integrity with a rating of 9.8.

See also:
Issues and vulnerabilities faced by Python
PERL – What you should know about it

---