VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-42t7-kbeq-eqcm

Essentials
Severities (20)
References (19)
Severity details (18)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-42t7-kbeq-eqcm
Aliases	CVE-2020-8162 GHSA-m42x-37p3-fv5w
Summary	Circumvention of file size limits in ActiveStorage There is a vulnerability in ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user. Versions Affected: rails < 5.2.4.2, rails < 6.0.3.1 Not affected: Applications that do not use the direct upload functionality of the ActiveStorage S3 adapter. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ Utilizing this vulnerability, an attacker can control the Content-Length of an S3 direct upload URL without receiving a new signature from the server. This could be used to bypass controls in place on the server to limit upload size. Workarounds ----------- This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-434	Unrestricted Upload of File with Dangerous Type
CWE-602	Client-Side Enforcement of Server-Side Security
CWE-20	Improper Input Validation

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8162.json
epss	0.01549	https://api.first.org/data/v1/epss?cve=CVE-2020-8162
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-m42x-37p3-fv5w
cvssv3.1	7.5	https://github.com/aws/aws-sdk-ruby
generic_textual	HIGH	https://github.com/aws/aws-sdk-ruby
cvssv3.1	7.5	https://github.com/aws/aws-sdk-ruby/issues/2098
generic_textual	HIGH	https://github.com/aws/aws-sdk-ruby/issues/2098
cvssv3.1	7.5	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2020-8162.yml
generic_textual	HIGH	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2020-8162.yml
cvssv3	7.5	https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ
cvssv3.1	7.5	https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ
generic_textual	HIGH	https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ
cvssv3.1	7.5	https://groups.google.com/g/rubyonrails-security/c/PjU3946mreQ
generic_textual	HIGH	https://groups.google.com/g/rubyonrails-security/c/PjU3946mreQ
cvssv3.1	7.5	https://hackerone.com/reports/789579
generic_textual	HIGH	https://hackerone.com/reports/789579
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2020-8162
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2020-8162
cvssv3.1	7.5	https://www.debian.org/security/2020/dsa-4766
generic_textual	HIGH	https://www.debian.org/security/2020/dsa-4766

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8162.json
		https://api.first.org/data/v1/epss?cve=CVE-2020-8162
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
		https://github.com/aws/aws-sdk-ruby
		https://github.com/aws/aws-sdk-ruby/issues/2098
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2020-8162.yml
		https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ
		https://groups.google.com/g/rubyonrails-security/c/PjU3946mreQ
		https://hackerone.com/reports/789579
		https://nvd.nist.gov/vuln/detail/CVE-2020-8162
		https://www.debian.org/security/2020/dsa-4766
1843005		https://bugzilla.redhat.com/show_bug.cgi?id=1843005
GHSA-m42x-37p3-fv5w		https://github.com/advisories/GHSA-m42x-37p3-fv5w
RHSA-2021:1313		https://access.redhat.com/errata/RHSA-2021:1313

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8162.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/aws/aws-sdk-ruby

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/aws/aws-sdk-ruby/issues/2098

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2020-8162.yml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://groups.google.com/g/rubyonrails-security/c/PjU3946mreQ

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://hackerone.com/reports/789579

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-8162

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://www.debian.org/security/2020/dsa-4766

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.81712
EPSS Score	0.01549
Published At	May 29, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-05-29T09:11:54.681515+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-m42x-37p3-fv5w/GHSA-m42x-37p3-fv5w.json	38.6.0