VIR Vulnerability Intelligence Relay

CVE-2020-8166

medium
Published 2020-05-18 · Modified 2026-05-05
CVSS v3
4.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVSS v2
4.3
VIR risk
4.3

Description

Ability to forge per-form CSRF tokens in Rails

Predictions

Exploit likelihood
53%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2020-8166

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2020-8166.html

vendor Authored 2026-05-27

Vendor advisory: support@hackerone.com — https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw

OS impact
OSVersionStatusFixed in
suse slesaffected
debian debian10.0affected
debian debianbookwormfixed2:5.2.4.3+dfsg-1
debian debianbullseyefixed2:5.2.4.3+dfsg-1
debian debianforkyfixed2:5.2.4.3+dfsg-1
debian debiansidfixed2:5.2.4.3+dfsg-1
debian debiantrixiefixed2:5.2.4.3+dfsg-1

Package impact
EcosystemPackageVulnerableFixed
ruby RubyGemsactionpack<~> 5.2.4, >= 5.2.4.3~> 5.2.4, >= 5.2.4.3
ruby RubyGemsactionpack>=5.0.0,<5.2.4.35.2.4.3
ruby RubyGemsactionpack>=6.0.0,<6.0.3.16.0.3.1
ruby RUBYGEMSactionpack>= 6.0.0, <= 6.0.36.0.3.1
ruby RUBYGEMSactionpack>= 5.0.0, <= 5.2.4.25.2.4.3

Application impact
VendorProductVersionsFixed
rubyonrailsrails{"endExcluding":"5.2.4.3"}5.2.4.3

References

CWEs

CWE-352

Verify integrity in audit chain (admin only). AS-IS.