Skip to main content

Use of Insufficiently Random Values

CVE-2019-5420

Severity High
Score 9.8/10

Summary

A remote code execution vulnerability in development mode Rails 5.2.0 before 5.2.2.1 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • HIGH

CWE-330 - Use of Insufficiently Random Values

The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Advisory Timeline

  • Published