FKIE_CVE-2024-27281

Vulnerability from fkie_nvd - Published: 2024-05-14 15:11 - Updated: 2025-11-04 18:16
Severity ?
4.5 (Medium) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Summary
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.
References
cve@mitre.orghttps://hackerone.com/reports/1187477
cve@mitre.orghttps://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/
af854a3a-2127-422b-91ae-364da2661108https://hackerone.com/reports/1187477
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XYDHPHEZI7OQXTQKTDZHGZNPIJH7ZV5N/
af854a3a-2127-422b-91ae-364da2661108https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 un problema en RDoc 6.3.3 a 6.6.2, tal como se distribuye en Ruby 3.x a 3.3.0. Al analizar .rdoc_options (utilizado para la configuraci\u00f3n en RDoc) como un archivo YAML, la inyecci\u00f3n de objetos y la ejecuci\u00f3n remota de c\u00f3digo resultante son posibles porque no hay restricciones en las clases que se pueden restaurar. (Al cargar el cach\u00e9 de documentaci\u00f3n, la inyecci\u00f3n de objetos y la ejecuci\u00f3n remota de c\u00f3digo resultante tambi\u00e9n son posibles si hubiera un cach\u00e9 manipulado). La versi\u00f3n principal fija es 6.6.3.1. Para los usuarios de Ruby 3.0, una versi\u00f3n fija es rdoc 6.3.4.1. Para los usuarios de Ruby 3.1, una versi\u00f3n fija es rdoc 6.4.1.1. Para los usuarios de Ruby 3.2, una versi\u00f3n fija es rdoc 6.5.1.1."
    }
  ],
  "id": "CVE-2024-27281",
  "lastModified": "2025-11-04T18:16:12.833",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "LOW",
          "baseScore": 4.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 3.4,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-05-14T15:11:57.250",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://hackerone.com/reports/1187477"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://hackerone.com/reports/1187477"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XYDHPHEZI7OQXTQKTDZHGZNPIJH7ZV5N/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.