Home > Vulnerability Database > CVE-2024-27281

Mend.io Vulnerability Database

CVE-2024-27281

Good to know:

Date: May 8, 2024

An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.

Language: Ruby

Severity Score

4.5

Related Resources (15)

Url: https://github.com/ruby/rdoc/commit/1254b0066f312ddbf7fae7a195e66ce5b3bc6656

Url: https://github.com/ruby/rdoc/commit/32ff6ba0bebd8ea26f569da5fd23be2937f6a644

Url: https://hackerone.com/reports/1187477

Url: https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/

Url: https://github.com/ruby/rdoc/commit/48617985e9fbc2825219d55f04e3e0e98d2923be

Url: https://github.com/ruby/rdoc/commit/d22ba930f1f611dda531dba04cd3d2531bb3f8a5

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-27281

Url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rdoc/CVE-2024-27281.yml

Url: https://github.com/ruby/rdoc/commit/e4a0e71e6f1032f8b4e5e58b4ef60d702c22ce17

Url: https://github.com/ruby/rdoc/commit/da7a0c7553ef7250ca665a3fecdc01dbaacbb43d

Url: https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281

Url: https://github.com/ruby/rdoc/commit/a5de13bf0f0c26f8e764e82b5bf4bf8bffc7198e

Url: https://github.com/ruby/rdoc

Url: https://github.com/ruby/rdoc/commit/811f125a4a0cc968e3eb18e16ea6c1a3b49a11bf

Url: https://www.mend.io/vulnerability-database/CVE-2024-27281

Severity Score

4.5

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

Top Fix

Upgrade Version

Upgrade to version rdoc - 6.4.1.1;rdoc - 6.6.3.1;rdoc - 6.5.1.1;rdoc - 6.3.4.1

Learn More

CVSS v3.1

Base Score:	4.5
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2024-27281

Good to know:

Date: May 8, 2024

Language: Ruby

Severity Score

Related Resources (15)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?