GHSA-v5h6-c2hv-hv3r
Suggest an improvement- Source
- https://github.com/advisories/GHSA-v5h6-c2hv-hv3r
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-v5h6-c2hv-hv3r/GHSA-v5h6-c2hv-hv3r.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-v5h6-c2hv-hv3r
- Aliases
- Related
- Published
- 2024-03-25T19:36:52Z
- Modified
- 2024-07-08T14:57:36.678339Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- StringIO buffer overread vulnerability
- Details
-
An issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4.
The
ungetbyteandungetcmethods on a StringIO can read past the end of a string, and a subsequent call toStringIO.getsmay return the memory value.This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x and later.
We recommend to update the StringIO gem to version 3.0.3 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:
- For Ruby 3.0 users: Update to
stringio3.0.1.1 - For Ruby 3.1 users: Update to
stringio3.1.0.2
You can use
gem update stringioto update it. If you are using bundler, please addgem "stringio", ">= 3.0.1.2"to yourGemfile. - For Ruby 3.0 users: Update to
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-27280
- https://github.com/ruby/stringio/commit/0e596524097706263d10900ca180898e4a8f5233
- https://github.com/ruby/stringio/commit/c58c5f54f1eab99665ea6a161d29ff6a7490afc8
- https://hackerone.com/reports/1399856
- https://github.com/ruby/stringio
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/stringio/CVE-2024-27280.yml
- https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280
Affected packages
RubyGems / stringio
Package
- Name
- stringio
- Purl
- pkg:gem/stringio