Miggo Logo
Miggo Vulnerability Database
CVE-2020-8151

CVE-2020-8151: Information disclosure issue in Active Resource

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-8151
GHSA ID
GHSA-46j2-xjgp-jrfm
EPSS Score
0.51788%
CWE
CWE-200
Published
5/21/2020
Updated
1/23/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
activeresourcerubygems< 5.1.15.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper URL encoding in ID parameter handling. The commit diff shows a critical change in lib/active_resource/base.rb where URI.parser.escape was replaced with URI.encode_www_form_component. The original method's encoding behavior allowed path traversal (e.g., '../') and special characters (e.g., '?') to bypass URL structure constraints, enabling unauthorized data access. The added test cases in finder_test.rb explicitly validate these attack scenarios, confirming the function's role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T**r* is * possi*l* in*orm*tion *is*losur* issu* in **tiv* R*sour** <v*.*.* t**t *oul* *llow *n *tt**k*r to *r**t* sp**i*lly *r**t** r*qu*sts to ****ss **t* in *n un*xp**t** w*y *n* possi*ly l**k in*orm*tion.

Reasoning

T** vuln*r**ility st*ms *rom improp*r URL *n*o*in* in I* p*r*m*t*r **n*lin*. T** *ommit *i** s*ows * *riti**l ***n** in li*/**tiv*_r*sour**/**s*.r* w**r* URI.p*rs*r.*s**p* w*s r*pl**** wit* URI.*n*o**_www_*orm_*ompon*nt. T** ori*in*l m*t*o*'s *n*o*in