Home > Vulnerability Database > CVE-2024-27282

Mend.io Vulnerability Database

CVE-2024-27282

Good to know:

Date: May 8, 2024

An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.

Language: C

Severity Score

6.6

Related Resources (7)

Url: https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/

Url: https://security.netapp.com/advisory/ntap-20241011-0007/

Url: https://hackerone.com/reports/2122624

Url: https://github.com/ruby/ruby/commit/dde99215f2bc60c22a00fc941ff7f714f011e920

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-27282

Url: https://security-tracker.debian.org/tracker/CVE-2024-27282

Url: https://www.mend.io/vulnerability-database/CVE-2024-27282

Severity Score

6.6

Weakness Type (CWE)

Out-of-bounds Read

CWE-125

Top Fix

Upgrade Version

Upgrade to version ruby - 2.4.4;ruby - 2.7.1

Learn More

CVSS v3.1

Base Score:	6.6
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2024-27282

Good to know:

Date: May 8, 2024

Language: C

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?