cbcvebase.
CVE-2022-28739
published 2022-05-09

CVE-2022-28739: There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion…

PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
3.87%
88.9th percentile
There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f.

Affected

14 ranges
VendorProductVersion rangeFixed in
applemacos>= 11.0 < 11.7.111.7.1
applemacos>= 12.0 < 12.6.112.6.1
applemacos_big_sur
applemacos_monterey
applemacos_ventura
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianruby2.7< ruby2.7 2.7.4-1+deb11u2 (bullseye)ruby2.7 2.7.4-1+deb11u2 (bullseye)
msrccm1_ruby_2.6.10-1_on_cbl_mariner_1.0
ruby-langruby< 2.6.102.6.10
ruby-langruby>= 2.7.0 < 2.7.62.7.6
ruby-langruby>= 3.0.0 < 3.0.43.0.4
ruby-langruby>= 3.1.0 < 3.1.23.1.2

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv9.8CRITICAL
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.