CVE-2024-27281

ruby: RCE vulnerability with .rdoc_options in RDoc

Severity Score

4.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.

Se descubrió un problema en RDoc 6.3.3 a 6.6.2, tal como se distribuye en Ruby 3.x a 3.3.0. Al analizar .rdoc_options (utilizado para la configuración en RDoc) como un archivo YAML, la inyección de objetos y la ejecución remota de código resultante son posibles porque no hay restricciones en las clases que se pueden restaurar. (Al cargar el caché de documentación, la inyección de objetos y la ejecución remota de código resultante también son posibles si hubiera un caché manipulado). La versión principal fija es 6.6.3.1. Para los usuarios de Ruby 3.0, una versión fija es rdoc 6.3.4.1. Para los usuarios de Ruby 3.1, una versión fija es rdoc 6.4.1.1. Para los usuarios de Ruby 3.2, una versión fija es rdoc 6.5.1.1.

A flaw was found in Rubygem RDoc. When parsing .rdoc_options used for configuration in RDoc as a YAML file there are no restrictions on the classes that can be restored. This issue may lead to object injection, resulting in remote code execution.

*Credits: N/A

CVSS Scores

CISAv3.1 4.5

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-06 CVE Published
2024-08-20 CVE Updated
---------- CVE Reserved
---------- EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')
CWE-502: Deserialization of Untrusted Data

CAPEC

References (4)

URL	Tag	Source
https://hackerone.com/reports/1187477
https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-27281	2024-07-11
https://bugzilla.redhat.com/show_bug.cgi?id=2270749	2024-07-11

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
-		-				-		-		-