Home > Vulnerability Database > CVE-2024-27281

Mend.io Vulnerability Database

CVE-2024-27281

Good to know:

Date: May 14, 2024

An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.

Language: Ruby

Severity Score

4.5

Related Resources (6)

Url: https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/

Url: https://hackerone.com/reports/1187477

Url: https://github.com/ruby/rdoc/commit/d22ba930f1f611dda531dba04cd3d2531bb3f8a5

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-27281

Url: https://security-tracker.debian.org/tracker/CVE-2024-27281

Url: https://www.mend.io/vulnerability-database/CVE-2024-27281

Severity Score

4.5

Top Fix

Upgrade Version

Upgrade to version rdoc - 6.3.4.1,6.4.1.1,6.5.1.1,6.6.3.1

Learn More

CVSS v3.1

Base Score:	4.5
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2024-27281

Good to know:

Date: May 14, 2024

Language: Ruby

Severity Score

Related Resources (6)

Severity Score

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?