CVE-2020-8130: 
Ruby vulnerability analysis and mitigation

An OS command injection vulnerability was discovered in Ruby Rake versions prior to 12.3.3, specifically in the Rake::FileList component when supplying a filename that begins with the pipe character |. The vulnerability was assigned CVE-2020-8130 and was publicly disclosed in February 2020 (CVE Details, Ubuntu Security).

The vulnerability exists in the Rake::FileList component of Ruby Rake, where improper handling of filenames allows for command injection when a filename begins with the pipe character |. The vulnerability has a CVSS 3.1 Base Score of 6.4 (Medium), with the following vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H. This indicates a local attack vector requiring high privileges and high attack complexity, but potentially resulting in high impacts to confidentiality, integrity, and availability (Ubuntu Security).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary commands on the affected system. The impact is particularly severe as it could lead to unauthorized command execution in the context of the Rake application (Ubuntu USN).

The vulnerability was fixed in Rake version 12.3.3. Users are advised to upgrade to this version or later. Multiple Linux distributions have released security updates to address this vulnerability, including Ubuntu (versions 19.10, 18.04, and 16.04), Fedora, and Debian (Ubuntu USN, OpenSUSE Security).