CVE-2024-27281

EUVD-2024-0826

14.05.2024, 15:11

An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.5 MEDIUM	LOCAL	HIGH	NONE	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 85%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
ruby	rdoc	6.3.3 ≤ 𝑥 ≤ 6.6.2	ADP

Debian Releases

Debian Product

Codename

ruby2.7

bullseye	vulnerable
bullseye (security)	2.7.4-1+deb11u5 fixed

ruby3.1

bookworm	3.1.2-7+deb12u1 fixed
bookworm (security)	3.1.2-7+deb12u1 fixed

Ubuntu Releases

Ubuntu Product

Codename

ruby2.3

focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne
xenial	Fixed 2.3.1-2~ubuntu16.04.16+esm9 released

ruby2.5

bionic	Fixed 2.5.1-1ubuntu1.16+esm3 released
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne

ruby2.7

focal	Fixed 2.7.0-5ubuntu1.13 released
jammy	dne
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne

ruby3.0

focal	dne
jammy	Fixed 3.0.2-7ubuntu2.6 released
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne

ruby3.1

focal	dne
jammy	dne
mantic	Fixed 3.1.2-7ubuntu3.2 released
noble	dne
oracular	dne
plucky	dne
questing	dne

jruby

bionic	needs-triage
focal	needs-triage
jammy	dne
mantic	ignored
noble	needs-triage
oracular	ignored
plucky	needs-triage
questing	needs-triage
trusty	needs-triage
xenial	needs-triage

ruby3.2

bionic	dne
focal	dne
jammy	dne
mantic	dne
noble	Fixed 3.2.3-1ubuntu0.24.04.1 released
oracular	dne
plucky	dne
questing	dne
trusty	dne
xenial	dne

ruby3.3

bionic	dne
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	not-affected
plucky	not-affected
questing	not-affected
trusty	dne
xenial	dne

Common Weakness Enumeration

CWE-502 - Deserialization of Untrusted Data
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References

https://hackerone.com/reports/1187477

https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/

https://hackerone.com/reports/1187477

https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XYDHPHEZI7OQXTQKTDZHGZNPIJH7ZV5N/

https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/