CVE-2020-8165

CVE-2020-8165 describes a deserialization of untrusted data vulnerability in the ActiveSupport cache stores of Ruby on Rails. The bug affects Rails versions prior to 5.2.4.3 and 6.0.3.1, specifically the MemCacheStore and RedisCacheStore implementations [2]. The root cause is that when untrusted user input is written to the cache using the raw: true parameter, the stored data is later deserialized using Ruby's Marshal.load without proper validation, leading to potential unintended unmarshalling of user-provided objects [2].

Exploitation requires an attacker to supply a crafted string that, when cached via a vulnerable call such as Rails.cache.fetch('demo', raw: true) { untrusted_string }, becomes a serialized malicious object [2]. The attack vector is limited to applications that write untrusted input to the cache with the raw option enabled, but no additional authentication or network position is required beyond the ability to provide the malicious payload to the caching call [2]. The vulnerability is especially concerning for the RedisCacheStore, which did not detect whether data was serialized using the raw option upon deserialization prior to the fix [2].

Successful exploitation can allow an attacker to inject arbitrary Ruby objects into the application's cache, which, upon deserialization, can lead to remote code execution (RCE) [2]. At a minimum, the attacker can inject untrusted Ruby objects, potentially leading to further compromise of the application and server [2].

The official fix was released in Rails versions 5.2.4.3 and 6.0.3.1 [2]. Developers unable to immediately upgrade are advised to ensure that all user-provided strings cached with the raw argument are validated to conform to expected formats [2]. The Ruby Advisory Database also tracks this issue as a security advisory for the activesupport gem [3]. No evidence of active exploitation in the wild (KEV) is indicated in the provided references.