CVE-2024-27280

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Ruby StringIO versions 3.0.1 through 3.0.6 Ruby StringIO versions 3.1.x through 3.1.4

Description A buffer-overread issue was discovered in StringIO, where the ungetbyte and ungetc methods can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. This issue is related to a data leak vulnerability.

Recommendations For Ruby 3.0 users, update to stringio 3.0.1.1 For Ruby 3.1 users, update to stringio 3.1.0.2 Update the StringIO gem to version 3.0.3 or later Use gem update stringio to update it. If you are using bundler, please add gem "stringio", ">= 3.0.1.2" to your Gemfile.

Exploit

Fix

DoS

Buffer Over-read

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-126CWE-120

Related Identifiers

ALSA-2024:3500

ALSA-2024:3546

ALSA-2024:3668

ALSA-2024:3670

ALSA-2024:3671

ALSA-2024:3838

ALSA-2024:4499

ALSA-2025_16880

BDU:2024-02456

CESA-2024_3500

CESA-2024_3546

CESA-2024_3670

CESA-2024_4499

CVE-2024-27280

DLA-3858-1

DSA-5677-1

GHSA-V5H6-C2HV-HV3R

INFSA-2024_3500

INFSA-2024_3546

INFSA-2024_3668

INFSA-2024_3670

INFSA-2024_3671

INFSA-2024_3838

INFSA-2024_4499

MGASA-2024-0160

OESA-2024-1433

RHSA-2024:3500

RHSA-2024:3546

RHSA-2024:3668

RHSA-2024:3670

RHSA-2024:3671

RHSA-2024:3838

RHSA-2024:4499

RHSA-2024_3500

RHSA-2024_3546

RHSA-2024_3668

RHSA-2024_3670

RHSA-2024_3671

RHSA-2024_3838

RHSA-2024_4499

RLSA-2024:3546

RLSA-2024:3668

RLSA-2024:3670

RLSA-2024:3671

RLSA-2024:4499

USN-6853-1

USN-7734-1

Affected Products

Almalinux

Astra Linux

Centos

Linuxmint

Apple Macos

Red Hat

Red Os

Rocky Linux

Stringio

Ubuntu

CVE-2024-27280

Weakness Enumeration

Related Identifiers

Affected Products

References · 121