Attackers can execute their own code in the Ruby program Vulnerability in Ruby gems allows data theft
Providers on the topic
There are currently vulnerabilities in RDoc and StringIO gems that allow attackers to execute code in the Ruby program. This makes cyber attacks and data theft possible. An update is available.
Developers who rely on the Ruby gems RDoc and StringIO are currently confronted with two security vulnerabilities. It is generally recommended to check and update the version used.
CVE-2024-27281: RCE .rdoc_options vulnerability in RDoc
An issue was discovered in RDoc 6.3.3 through 6.6.2 as provided in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resulting remote code execution are possible because there are no restrictions on the classes that can be restored. When loading the documentation cache, object injection and resulting remote code execution are also possible if there is a tampered cache.
This allows attackers to exploit the gap CVE-2024-27281 exploit in RDoc. Here attackers can inject their own code and execute it in the context of the corresponding program. Those affected are:
RDoc according to 6.3.3 or older, 6.4.0 to 6.6.2 without installed updates (6.3.4, 6.4.1, 6.5.1)
As of versions 6.3.4.1 in Ruby 3.0 and 6.4.1.1 in Ruby 3.1, the gap is closed.
CVE-2024-27280: Buffer overread vulnerability in StringIO
Another problem was discovered in StringIO 3.0.1, especially Ruby 3.0.x to 3.0.6 and 3.1.x to 3.1.4. The NichtByte and NichtTC methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets can return the stored value. This vulnerability does not affect StringIO 3.0.3 and later and Ruby 3.2.x and later.
This can lead to a buffer overread with the Gem StringIO. This is caused by the discovered gap CVE-2024-27280. There is also a separate entry for this in the Ruby news section. The system unintentionally passes on data. This allows attackers to read secret information. Together with the CVE-2024-27281 vulnerability, attackers can inject code and read information based on this code or with other actions. Those affected are:
StringIO according to 3.0.2 or older
(ID:49979519)
As of October 30, 2020
It goes without saying that we handle your personal data responsibly. If we collect personal data from you, we process it in compliance with the applicable data protection regulations. Detailed information can be found in our data protection declaration.
Consent to the use of data for advertising purposes
I agree that Vogel IT-Medien GmbH, Max-Josef-Metzger-Straße 21, 86157 Augsburg, including all companies affiliated with it within the meaning of Sections 15 ff. AktG (hereinafter: Vogel Communications Group), my E -Email address used to send editorial newsletters. Lists of the associated companies can be found here be retrieved.
The newsletter content covers products and services from all of the companies mentioned above, including, for example, specialist magazines and specialist books, events and trade fairs as well as event-related products and services, print and digital media offers and services such as other (editorial) newsletters, competitions, lead campaigns, Market research in the online and offline areas, subject-specific web portals and e-learning offers. If my personal telephone number has also been collected, it may be used to make offers for the aforementioned products and services from the aforementioned companies and for market research.
If I access protected content on the Internet on portals of the Vogel Communications Group, including its affiliated companies within the meaning of Sections 15 ff. AktG, I must register with additional data to access this content. In return for this free access to editorial content, my data may be used for the purposes stated here in accordance with this consent.
Right to withdraw
I am aware that I can revoke this consent at any time in the future. My revocation will not affect the lawfulness of the processing carried out based on my consent up to the time of revocation. In order to declare my revocation, I can do this under https://support.vogel.de Use the available contact form. If I no longer wish to receive individual newsletters that I have subscribed to, I can also click on the unsubscribe link included at the end of a newsletter. Further information about my right of withdrawal and its exercise as well as the consequences of my withdrawal can be found in the data protection declaration, section Editorial newsletters.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.OkPrivacy policy