{
  "threat_severity" : "Moderate",
  "public_date" : "2019-08-29T00:00:00Z",
  "bugzilla" : {
    "description" : "rake: OS Command Injection via egrep in Rake::FileList",
    "id" : "1816270",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1816270"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-78",
  "details" : [ "There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`.", "There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`." ],
  "statement" : "Red Hat CloudForms 5.10 and Red Hat Satellite 6 contains affected rake version, however, it is not vulnerable since it does not use `egrep` after `FileList` loads file with pipe-character, this makes OS injection practically impossible with it's existing Rakefile. Red Hat may update rake in future releases.\nThe version of rubygem-rake shipped with Red Hat Gluster Storage includes the vulnerable code, but the module FileList is currently not used by the product and hence this issue has been rated as having a security impact of Low for RHGS.",
  "affected_release" : [ {
    "product_name" : "Red Hat Satellite 6.10 for RHEL 7",
    "release_date" : "2021-11-16T00:00:00Z",
    "advisory" : "RHSA-2021:4702",
    "cpe" : "cpe:/a:redhat:satellite:6.10::el7",
    "package" : "satellite-0:6.10.0-3.el7sat",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Satellite 6.10 for RHEL 7",
    "release_date" : "2021-11-16T00:00:00Z",
    "advisory" : "RHSA-2021:4702",
    "cpe" : "cpe:/a:redhat:satellite_capsule:6.10::el7",
    "package" : "satellite-0:6.10.0-3.el7sat",
    "impact" : "low"
  } ],
  "package_state" : [ {
    "product_name" : "CloudForms Management Engine 5",
    "fix_state" : "Fix deferred",
    "package_name" : "cfme-amazon-smartstate",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5",
    "impact" : "low"
  }, {
    "product_name" : "CloudForms Management Engine 5",
    "fix_state" : "Fix deferred",
    "package_name" : "cfme-gemset",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Not affected",
    "package_name" : "fluentd",
    "cpe" : "cpe:/a:redhat:openshift:3.11",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-logging-fluentd",
    "cpe" : "cpe:/a:redhat:openshift:4",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Fix deferred",
    "package_name" : "rubygem-rake",
    "cpe" : "cpe:/a:redhat:storage:3",
    "impact" : "low"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-8130\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8130\nhttps://github.com/advisories/GHSA-jppv-gw3r-w3q8" ],
  "name" : "CVE-2020-8130",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}