Lucene search

K
redhatRedHatRHSA-2024:4499
HistoryJul 11, 2024 - 11:24 a.m.

(RHSA-2024:4499) Moderate: ruby security update

2024-07-1111:24:57
CWE-125
access.redhat.com
36
ruby
scripting language
text processing
system management
security update
buffer overread
rce vulnerability
dos parsing
cve
cvss score
acknowledgments
references
unix

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

High

EPSS

0.005

Percentile

76.6%

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.

Security Fix(es):

  • rubygem-uri: ReDoS vulnerability - upstream’s incomplete fix for CVE-2023-28755 (CVE-2023-36617)

  • ruby: Buffer overread vulnerability in StringIO (CVE-2024-27280)

  • ruby: RCE vulnerability with .rdoc_options in RDoc (CVE-2024-27281)

  • ruby: Arbitrary memory address read vulnerability with Regex search (CVE-2024-27282)

  • REXML: DoS parsing an XML with many <s in an attribute value (CVE-2024-35176)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected configurations

Vulners
Node
redhatrubyRange3.0-8100020240522072634.489197e6
OR
redhatrubyRange3.1-8100020240510101534.489197e6
OR
redhatrubyRange3.3-8100020240522151542.489197e6
OR
redhatrubyRange2.5-8100020240627152904.489197e6
OR
redhatrubyRange3.1-9040020240503183840.9
OR
redhatrubyRange3.3-9040020240522171337.9
OR
redhatrubyRange3.0.7-162.el9_4
OR
redhatrubyRange2.7-8080020230427102918.63b34585
OR
redhatrubyRange2.5-8090020230627084142.b46abd14
OR
redhatrubyRange3.1-8090020240311122605.a75119d5
OR
redhatrubyRange3.1-9030020240320163942.9
OR
redhatrh-ruby27-ruby-0Range2.7.8-132.el7
OR
redhatpcsRange0.10.18-2.el8_10.1
AND
redhatenterprise_linuxMatch8
OR
redhatenterprise_linuxMatch9
OR
redhatenterprise_linuxMatchhighavailability
VendorProductVersionCPE
redhatruby*cpe:2.3:a:redhat:ruby:*:*:*:*:*:*:*:*
redhatrh-ruby27-ruby-0*cpe:2.3:a:redhat:rh-ruby27-ruby-0:*:*:*:*:*:*:*:*
redhatpcs*cpe:2.3:a:redhat:pcs:*:*:*:*:*:*:*:*
redhatenterprise_linux8cpe:2.3:o:redhat:enterprise_linux:8:*:*:*:*:*:*:*
redhatenterprise_linux9cpe:2.3:o:redhat:enterprise_linux:9:*:*:*:*:*:*:*
redhatenterprise_linuxhighavailabilitycpe:2.3:o:redhat:enterprise_linux:highavailability:*:*:*:*:*:*:*

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

High

EPSS

0.005

Percentile

76.6%