Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2024-27280

Опубликовано: 14 мая 2024
Источник: debian
EPSS Низкий

Описание

A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
ruby3.2not-affectedpackage
ruby3.1removedpackage
ruby2.7removedpackage
ruby2.5removedpackage

Примечания

  • https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/

  • https://github.com/ruby/stringio/commit/a35268a3ac1b5f0058e5b7c1a041a7e86d9da067 (v3.0.3)

  • https://github.com/ruby/stringio/commit/c58c5f54f1eab99665ea6a161d29ff6a7490afc8 (v3.0.1.1)

  • Do not confuse with bugfix for https://bugs.ruby-lang.org/issues/19389:

  • https://github.com/ruby/stringio/commit/0e596524097706263d10900ca180898e4a8f5233 (v3.0.1.2)

EPSS

Процентиль: 84%
0.02308
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2024-27280

CVSS3: 9.8
ubuntu
около 1 года назад

A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2.

redhat логотип

CVE-2024-27280

CVSS3: 3.1
redhat
около 1 года назад

A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2.

nvd логотип

CVE-2024-27280

CVSS3: 9.8
nvd
около 1 года назад

A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2.

github логотип

GHSA-v5h6-c2hv-hv3r

CVSS3: 9.8
github
около 1 года назад

StringIO buffer overread vulnerability

fstec логотип

BDU:2024-02456

CVSS3: 3.1
fstec
больше 1 года назад

Уязвимость методов ungetbyte и ungetc обработчика строк StringIO для языка программирования Ruby, позволяющая нарушителю оказать воздействие на конфиденциальность защищаемой информации

EPSS

Процентиль: 84%
0.02308
Низкий