VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-a6sp-18av-wya6

Essentials
Severities (37)
References (24)
Severity details (27)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-a6sp-18av-wya6
Aliases	CVE-2020-8164 GHSA-8727-m6gj-mc37
Summary	Possible Strong Parameters Bypass in ActionPack There is a strong parameters bypass vector in ActionPack. Versions Affected: rails <= 6.0.3 Not affected: rails < 5.0.0 Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of `each`, or `each_value`, or `each_pair` will return the underlying "untrusted" hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input. Impacted code will look something like this: ``` def update # Attacker has included the parameter: `{ is_admin: true }` User.update(clean_up_params) end def clean_up_params params.each { \|k, v\| SomeModel.check(v) if k == :name } end ``` Note the mistaken use of `each` in the `clean_up_params` method in the above example. Workarounds ----------- Do not use the return values of `each`, `each_value`, or `each_pair` in your application.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-502	Deserialization of Untrusted Data
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1	7.5	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html
generic_textual	HIGH	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html
cvssv3.1	7.5	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html
generic_textual	HIGH	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html
cvssv3.1	7.5	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html
generic_textual	HIGH	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8164.json
epss	0.07389	https://api.first.org/data/v1/epss?cve=CVE-2020-8164
epss	0.07389	https://api.first.org/data/v1/epss?cve=CVE-2020-8164
epss	0.07389	https://api.first.org/data/v1/epss?cve=CVE-2020-8164
epss	0.07389	https://api.first.org/data/v1/epss?cve=CVE-2020-8164
epss	0.07389	https://api.first.org/data/v1/epss?cve=CVE-2020-8164
epss	0.07389	https://api.first.org/data/v1/epss?cve=CVE-2020-8164
epss	0.07389	https://api.first.org/data/v1/epss?cve=CVE-2020-8164
epss	0.07389	https://api.first.org/data/v1/epss?cve=CVE-2020-8164
epss	0.07389	https://api.first.org/data/v1/epss?cve=CVE-2020-8164
cvssv3.1	7.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-8727-m6gj-mc37
cvssv3.1	7.5	https://github.com/rails/rails
generic_textual	HIGH	https://github.com/rails/rails
cvssv3.1	7.5	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8164.yml
generic_textual	HIGH	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8164.yml
cvssv3	7.5	https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
cvssv3.1	7.5	https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
generic_textual	HIGH	https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
cvssv3.1	7.5	https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY
generic_textual	HIGH	https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY
cvssv3.1	7.5	https://hackerone.com/reports/292797
generic_textual	HIGH	https://hackerone.com/reports/292797
cvssv3.1	7.5	https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html
generic_textual	HIGH	https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html
cvssv3.1	7.5	https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
generic_textual	HIGH	https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2020-8164
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2020-8164
cvssv3.1	7.5	https://www.debian.org/security/2020/dsa-4766
generic_textual	HIGH	https://www.debian.org/security/2020/dsa-4766

Reference id	Reference type	URL
		http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html
		http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html
		http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8164.json
		https://api.first.org/data/v1/epss?cve=CVE-2020-8164
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/rails/rails
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8164.yml
		https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
		https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY
		https://hackerone.com/reports/292797
		https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html
		https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
		https://nvd.nist.gov/vuln/detail/CVE-2020-8164
		https://www.debian.org/security/2020/dsa-4766
1842634		https://bugzilla.redhat.com/show_bug.cgi?id=1842634
GHSA-8727-m6gj-mc37		https://github.com/advisories/GHSA-8727-m6gj-mc37
RHSA-2021:1313		https://access.redhat.com/errata/RHSA-2021:1313

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8164.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/rails/rails

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8164.yml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://hackerone.com/reports/292797

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-8164

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://www.debian.org/security/2020/dsa-4766

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.9169
EPSS Score	0.07389
Published At	April 1, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T13:00:32.301218+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-8727-m6gj-mc37/GHSA-8727-m6gj-mc37.json	38.0.0