Aerodudrizzt

**Name of the Vulnerable Software and Affected Versions** Ruby versions prior to 2.2.10 Ruby versions 2.3.x prior to 2.3.7 Ruby versions 2.4.x prior to 2.4.4 Ruby versions 2.5.x prior to 2.5.1 Ruby version 2.6.0-preview1 **Description** The issue is related to the String#unpack method in Ruby, where an attacker controlling the unpacking format can trigger a buffer under-read, resulting in a massive and controlled information disclosure. This is similar to format string vulnerabilities. The vulnerability can be exploited by a remote attacker to disclose protected information. **Recommendations** For Ruby versions prior to 2.2.10, update to version 2.2.10 or later. For Ruby versions 2.3.x prior to 2.3.7, update to version 2.3.7 or later. For Ruby versions 2.4.x prior to 2.4.4, update to version 2.4.4 or later. For Ruby versions 2.5.x prior to 2.5.1, update to version 2.5.1 or later. For Ruby version 2.6.0-preview1, update to a later version. As a temporary workaround, consider restricting the use of the `String#unpack` method until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Ruby versions prior to 2.4.2 Ruby versions prior to 2.3.5 Ruby versions prior to 2.2.8 **Description** The issue is related to malicious format strings containing a precious specifier (*) with a huge minus value, which can lead to a buffer overrun. This situation may result in heap memory corruption or information disclosure from the heap. **Recommendations** For versions prior to 2.4.2, update to version 2.4.2 or later. For versions prior to 2.3.5, update to version 2.3.5 or later. For versions prior to 2.2.8, update to version 2.2.8 or later.