Lucene search

GoogleOSV:GHSA-V5H6-C2HV-HV3R

HistoryMar 25, 2024 - 7:36 p.m.

StringIO buffer overread vulnerability

2024-03-2519:36:52

Google

osv.dev

stringio

buffer overread

vulnerability

update

memory value

ruby 3.0

ruby 3.1

gem update

7 High

AI Score

Confidence

Low

JSON

An issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4.

The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value.

This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x and later.

We recommend to update the StringIO gem to version 3.0.3 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:

For Ruby 3.0 users: Update to stringio 3.0.1.1
For Ruby 3.1 users: Update to stringio 3.1.0.2

You can use gem update stringio to update it. If you are using bundler, please add gem "stringio", ">= 3.0.1.2" to your Gemfile.

CPENameOperatorVersion
stringioeq3.0.1
stringioeq0.1.4
stringioeq0.1.3
stringioeq3.0.0
stringioeq0.0.1
stringioeq0.0.2
stringioeq0.1.0

Name	Operator	Version
stringio	eq	3.0.1
stringio	eq	0.1.4
stringio	eq	0.1.3
stringio	eq	3.0.0
stringio	eq	0.0.1
stringio	eq	0.0.2
stringio	eq	0.1.0

References

github.com/ruby/stringio

github.com/ruby/stringio/commit/0e596524097706263d10900ca180898e4a8f5233

github.com/ruby/stringio/commit/c58c5f54f1eab99665ea6a161d29ff6a7490afc8

github.com/rubysec/ruby-advisory-db/blob/master/gems/stringio/CVE-2024-27280.yml

nvd.nist.gov/vuln/detail/CVE-2024-27280

www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280

7 High

AI Score

Confidence

Low

JSON

Related for OSV:GHSA-V5H6-C2HV-HV3R