CVE-2024-27281
published 2024-05-14CVE-2024-27281: An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a…
PriorityP427medium4.5CVSS 3.1
AVLACHPRNUIRSUCLILAL
EPSS
1.57%
72.3th percentile
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby2.7 | < ruby2.7 2.7.4-1+deb11u2 (bullseye) | ruby2.7 2.7.4-1+deb11u2 (bullseye) |
| debian | ruby3.1 | < ruby2.7 2.7.4-1+deb11u2 (bullseye) | ruby2.7 2.7.4-1+deb11u2 (bullseye) |
| msrc | azl3_ruby_3.3.0-4_on_azure_linux_3.0 | — | — |
| msrc | azl3_ruby_3.3.3-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_ruby_3.1.4-4_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_ruby_3.1.4-9_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| ruby-lang | rdoc | >= 6.3.3 < 6.3.4.1 | 6.3.4.1 |
| ruby-lang | rdoc | >= 6.4.0 < 6.4.1.1 | 6.4.1.1 |
| ruby-lang | rdoc | >= 6.5.0 < 6.5.1.1 | 6.5.1.1 |
| ruby-lang | rdoc | >= 6.6.0 < 6.6.3.1 | 6.6.3.1 |
CVSS provenance
nvdv3.14.5MEDIUMCVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
osv4.5MEDIUM
vendor_debian4.5MEDIUM
vendor_msrc4.5MEDIUM
vendor_redhat4.5MEDIUM
vendor_ubuntu4.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Ruby vulnerability
vendor_ubuntu·2025-02-10·CVSS 4.5
CVE-2024-27281 [MEDIUM] Ruby vulnerability
Title: Ruby vulnerability
Summary: Ruby could be made to crash or run programs as your login if it
opened a specially crafted file.
USN-6838-1 fixed CVE-2024-27281 in Ruby 2.7, Ruby 3.0, Ruby 3.1,
and Ruby 3.2. This update provides the corresponding updates for
Ruby 2.3 and Ruby 2.5.
Original advisory details:
It was discovered that Ruby RDoc incorrectly parsed certain YAML files. If
a user or automated system were tricked into parsing a specially crafted
.rdoc_options file, a remote attacker could possibly use this issue to
execute arbitrary code. (CVE-2024-27281)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2024-06-17·CVSS 4.5
CVE-2024-27282 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that Ruby RDoc incorrectly parsed certain YAML files. If
a user or automated system were tricked into parsing a specially crafted
.rdoc_options file, a remote attacker could possibly use this issue to
execute arbitrary code. (CVE-2024-27281)
It was discovered that the Ruby regex compiler incorrectly handled certain
memory operations. A remote attacker could possibly use this issue to
obtain sensitive memory contents. (CVE-2024-27282)
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
An issue was discovered in RDoc 6.3.3 through 6.6.2 as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file object injection and resultant
vendor_msrc·2024-05-14·CVSS 4.5
CVE-2024-27281 [MEDIUM] CWE-502 An issue was discovered in RDoc 6.3.3 through 6.6.2 as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file object injection and resultant
An issue was discovered in RDoc 6.3.3 through 6.6.2 as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users a fixed version is rdoc 6.5.1.1.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the mai
Red Hat
ruby: RCE vulnerability with .rdoc_options in RDoc
vendor_redhat·2024-03-21·CVSS 4.5
CVE-2024-27281 [MEDIUM] CWE-94 ruby: RCE vulnerability with .rdoc_options in RDoc
ruby: RCE vulnerability with .rdoc_options in RDoc
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.
A flaw was found in Rubygem RDoc. When parsing .rdoc_options used for configuration in RDoc as a YAML f
Debian
CVE-2024-27281: ruby2.7 - An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x ...
vendor_debian·2024·CVSS 4.5
CVE-2024-27281 [MEDIUM] CVE-2024-27281: ruby2.7 - An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x ...
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.
Scope: local
bullseye: resolved (fixed in 2.7.4-1+deb11u2)
OSV
ruby2.3, ruby2.5 vulnerability
osv·2025-02-10·CVSS 4.5
CVE-2024-27281 [MEDIUM] ruby2.3, ruby2.5 vulnerability
ruby2.3, ruby2.5 vulnerability
USN-6838-1 fixed CVE-2024-27281 in Ruby 2.7, Ruby 3.0, Ruby 3.1,
and Ruby 3.2. This update provides the corresponding updates for
Ruby 2.3 and Ruby 2.5.
Original advisory details:
It was discovered that Ruby RDoc incorrectly parsed certain YAML files. If
a user or automated system were tricked into parsing a specially crafted
.rdoc_options file, a remote attacker could possibly use this issue to
execute arbitrary code. (CVE-2024-27281)
OSV
ruby2.7, ruby3.0, ruby3.1, ruby3.2 vulnerabilities
osv·2024-06-17·CVSS 4.5
CVE-2024-27281 [MEDIUM] ruby2.7, ruby3.0, ruby3.1, ruby3.2 vulnerabilities
ruby2.7, ruby3.0, ruby3.1, ruby3.2 vulnerabilities
It was discovered that Ruby RDoc incorrectly parsed certain YAML files. If
a user or automated system were tricked into parsing a specially crafted
.rdoc_options file, a remote attacker could possibly use this issue to
execute arbitrary code. (CVE-2024-27281)
It was discovered that the Ruby regex compiler incorrectly handled certain
memory operations. A remote attacker could possibly use this issue to
obtain sensitive memory contents. (CVE-2024-27282)
OSV
CVE-2024-27281: An issue was discovered in RDoc 6
osv·2024-05-14·CVSS 4.5
CVE-2024-27281 [MEDIUM] CVE-2024-27281: An issue was discovered in RDoc 6
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.
GHSA
RDoc RCE vulnerability with .rdoc_options
ghsa·2024-03-25
CVE-2024-27281 [LOW] CWE-502 RDoc RCE vulnerability with .rdoc_options
RDoc RCE vulnerability with .rdoc_options
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0.
When parsing `.rdoc_options` (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored.
When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.
We recommend to update the RDoc gem to version 6.6.3.1 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:
* For Ruby 3.0 users: Update to `rdoc` 6.3.4.1
* For Ruby 3.1 users: Update to `rdoc` 6.4.1.1
* For Ruby 3.2 users: Update to `
OSV
RDoc RCE vulnerability with .rdoc_options
osv·2024-03-25
CVE-2024-27281 [LOW] RDoc RCE vulnerability with .rdoc_options
RDoc RCE vulnerability with .rdoc_options
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0.
When parsing `.rdoc_options` (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored.
When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.
We recommend to update the RDoc gem to version 6.6.3.1 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:
* For Ruby 3.0 users: Update to `rdoc` 6.3.4.1
* For Ruby 3.1 users: Update to `rdoc` 6.4.1.1
* For Ruby 3.2 users: Update to `
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2024-27281 rubygem-rdoc: ruby: RCE vulnerability with .rdoc_options in RDoc [fedora-39]
bugzilla·2024-04-25·CVSS 4.5
CVE-2024-27281 [MEDIUM] CVE-2024-27281 rubygem-rdoc: ruby: RCE vulnerability with .rdoc_options in RDoc [fedora-39]
CVE-2024-27281 rubygem-rdoc: ruby: RCE vulnerability with .rdoc_options in RDoc [fedora-39]
More information about this security flaw is available in the following bug:
http://bugzilla.redhat.com/show_bug.cgi?id=2270749
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Use the following template to for the 'fedpkg update' request to submit an
update for this issue as it contains the top-level parent bug(s) as well as
this tracking bug. This will ensure that all associated bugs get updated
when new packages are pushed to stable.
# bugfix, security, enhancement, newpackage (required)
type=security
# l
HackerOne
CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc
hackerone·2024-03-29·CVSS 4.5
CVE-2024-27281 [MEDIUM] CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc
CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc
I made a report at https://hackerone.com/reports/1187477
https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/
> An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0.
> When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored.
> When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.
## Impact
RCE is possible when the `rdoc` command is executed for a repository received from the external.
RDoc RCE vulnerability with .rdoc_options
De
https://hackerone.com/reports/1187477https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/https://hackerone.com/reports/1187477https://lists.debian.org/debian-lts-announce/2024/09/msg00000.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/https://lists.fedoraproject.org/archives/list/[email protected]/message/XYDHPHEZI7OQXTQKTDZHGZNPIJH7ZV5N/https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/
2024-05-14
Published