CVE-2020-10933 — Use of Uninitialized Resource in Ruby
Severity
5.3MEDIUMNVD
EPSS
0.4%
top 36.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMay 4
Latest updateMay 24
Description
An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4
Affected Packages1 packages
Also affects: Debian Linux 10.0, Fedora 31
🔴Vulnerability Details
4📋Vendor Advisories
4Microsoft▶
An issue was discovered in Ruby 2.5.x through 2.5.7 2.6.x through 2.6.5 and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size buffer exception: false) the method resizes the buffer to ↗2020-05-12
Debian▶
CVE-2020-10933: ruby2.7 - An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2....↗2020