Lucene search

K
hackeroneOoooooo_qH1:2438265
HistoryMar 27, 2024 - 11:54 p.m.

Internet Bug Bounty: CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc

2024-03-2723:54:54
ooooooo_q
hackerone.com
$4860
59
internet bug bounty
cve-2024-27281
rce vulnerability
rdoc
ruby 3.x
object injection
remote code execution
yaml
documentation cache
hackerone report

8.1 High

AI Score

Confidence

Low

0 Low

EPSS

Percentile

0.0%

I made a report at https://hackerone.com/reports/1187477

https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/

> An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0.
> When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored.
> When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.

Impact

RCE is possible when the rdoc command is executed for a repository received from the external.