CVE-2024-27281

14.05.2024, 15:11

An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.5 MEDIUM	LOCAL	HIGH	NONE	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
mitre	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	4.5 MEDIUM	LOCAL	HIGH	NONE	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 83%

Debian Releases

Debian Product

Codename

ruby2.7

bullseye	vulnerable
bullseye (security)	2.7.4-1+deb11u5 fixed

ruby3.1

bookworm	3.1.2-7+deb12u1 fixed
bookworm (security)	3.1.2-7+deb12u1 fixed

Ubuntu Releases

Ubuntu Product

Codename

jruby

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
mantic	ignored
jammy	dne
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	needs-triage

ruby2.3

plucky	dne
oracular	dne
noble	dne
mantic	dne
jammy	dne
focal	dne
xenial	Fixed 2.3.1-2~ubuntu16.04.16+esm9 released

ruby2.5

plucky	dne
oracular	dne
noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	Fixed 2.5.1-1ubuntu1.16+esm3 released

ruby2.7

plucky	dne
oracular	dne
noble	dne
mantic	dne
jammy	dne
focal	Fixed 2.7.0-5ubuntu1.13 released

ruby3.0

plucky	dne
oracular	dne
noble	dne
mantic	dne
jammy	Fixed 3.0.2-7ubuntu2.6 released
focal	dne

ruby3.1

plucky	dne
oracular	dne
noble	dne
mantic	Fixed 3.1.2-7ubuntu3.2 released
jammy	dne
focal	dne

ruby3.2

plucky	dne
oracular	dne
noble	Fixed 3.2.3-1ubuntu0.24.04.1 released
mantic	dne
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

Common Weakness Enumeration

CWE-502 - Deserialization of Untrusted Data
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References

https://hackerone.com/reports/1187477

https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/

https://hackerone.com/reports/1187477

https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/