// For flags

CVE-2024-27281

ruby: RCE vulnerability with .rdoc_options in RDoc

Severity Score

4.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.

Se descubrió un problema en RDoc 6.3.3 a 6.6.2, tal como se distribuye en Ruby 3.x a 3.3.0. Al analizar .rdoc_options (utilizado para la configuración en RDoc) como un archivo YAML, la inyección de objetos y la ejecución remota de código resultante son posibles porque no hay restricciones en las clases que se pueden restaurar. (Al cargar el caché de documentación, la inyección de objetos y la ejecución remota de código resultante también son posibles si hubiera un caché manipulado). La versión principal fija es 6.6.3.1. Para los usuarios de Ruby 3.0, una versión fija es rdoc 6.3.4.1. Para los usuarios de Ruby 3.1, una versión fija es rdoc 6.4.1.1. Para los usuarios de Ruby 3.2, una versión fija es rdoc 6.5.1.1.

A flaw was found in Rubygem RDoc. When parsing .rdoc_options used for configuration in RDoc as a YAML file there are no restrictions on the classes that can be restored. This issue may lead to object injection, resulting in remote code execution.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
Attack Vector
Local
Attack Complexity
High
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
Poc
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-05-06 CVE Published
  • 2024-08-20 CVE Updated
  • ---------- CVE Reserved
  • ---------- EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-94: Improper Control of Generation of Code ('Code Injection')
  • CWE-502: Deserialization of Untrusted Data
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Oracle
Search vendor "Oracle"
 Linux
Search vendor "Oracle" for product "Linux"
*-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
*-
Affected
Alma
Search vendor "Alma"
 Linux
Search vendor "Alma" for product "Linux"
*-
Affected
Amazon
Search vendor "Amazon"
 Linux
Search vendor "Amazon" for product "Linux"
*-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
*-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
*-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
*-
Affected
Nutanix
Search vendor "Nutanix"
 Ahv
Search vendor "Nutanix" for product "Ahv"
*-
Affected
Oracle
Search vendor "Oracle"
 Linux
Search vendor "Oracle" for product "Linux"
*-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
*-
Affected
Rocky
Search vendor "Rocky"
 Linux
Search vendor "Rocky" for product "Linux"
*-
Affected
Slackware
Search vendor "Slackware"
 Slackware Linux
Search vendor "Slackware" for product "Slackware Linux"
*-
Affected