{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-27281", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-20T14:02:13.614Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-08T20:56:26.831690"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://hackerone.com/reports/1187477"}, {"url": "https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:27:59.953Z"}, "title": "CVE Program Container", "references": [{"url": "https://hackerone.com/reports/1187477", "tags": ["x_transferred"]}, {"url": "https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-502", "lang": "en", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "affected": [{"vendor": "ruby", "product": "rdoc", "cpes": ["cpe:2.3:a:ruby:rdoc:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "6.3.3", "status": "affected", "lessThanOrEqual": "6.6.2", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-08-20T13:50:49.740883Z", "id": "CVE-2024-27281", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-20T14:02:13.614Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://hackerone.com/reports/1187477", "tags": ["x_transferred"]}, {"url": "https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:27:59.953Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-27281", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-20T13:50:49.740883Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:ruby:rdoc:*:*:*:*:*:*:*:*"], "vendor": "ruby", "product": "rdoc", "versions": [{"status": "affected", "version": "6.3.3", "versionType": "custom", "lessThanOrEqual": "6.6.2"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-20T14:01:57.566Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://hackerone.com/reports/1187477"}, {"url": "https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-08T20:56:26.831690"}}}, "cveMetadata": {"cveId": "CVE-2024-27281", "state": "PUBLISHED", "dateUpdated": "2024-08-20T14:02:13.614Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en RDoc 6.3.3 a 6.6.2, tal como se distribuye en Ruby 3.x a 3.3.0. Al analizar .rdoc_options (utilizado para la configuraci\u00f3n en RDoc) como un archivo YAML, la inyecci\u00f3n de objetos y la ejecuci\u00f3n remota de c\u00f3digo resultante son posibles porque no hay restricciones en las clases que se pueden restaurar. (Al cargar el cach\u00e9 de documentaci\u00f3n, la inyecci\u00f3n de objetos y la ejecuci\u00f3n remota de c\u00f3digo resultante tambi\u00e9n son posibles si hubiera un cach\u00e9 manipulado). La versi\u00f3n principal fija es 6.6.3.1. Para los usuarios de Ruby 3.0, una versi\u00f3n fija es rdoc 6.3.4.1. Para los usuarios de Ruby 3.1, una versi\u00f3n fija es rdoc 6.4.1.1. Para los usuarios de Ruby 3.2, una versi\u00f3n fija es rdoc 6.5.1.1."}], "id": "CVE-2024-27281", "lastModified": "2024-11-21T09:04:14.180", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-05-14T15:11:57.250", "references": [{"source": "cve@mitre.org", "url": "https://hackerone.com/reports/1187477"}, {"source": "cve@mitre.org", "url": "https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://hackerone.com/reports/1187477"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3500", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "ruby:3.0-8100020240522072634.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-30T00:00:00Z"}, {"advisory": "RHSA-2024:3546", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "ruby:3.1-8100020240510101534.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3670", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "ruby:3.3-8100020240522151542.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-06-06T00:00:00Z"}, {"advisory": "RHSA-2024:4499", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "ruby:2.5-8100020240627152904.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-07-11T00:00:00Z"}, {"advisory": "RHSA-2024:3668", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "ruby:3.1-9040020240503183840.9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-06-06T00:00:00Z"}, {"advisory": "RHSA-2024:3671", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "ruby:3.3-9040020240522171337.9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-06-06T00:00:00Z"}, {"advisory": "RHSA-2024:3838", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "ruby-0:3.0.7-162.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-06-11T00:00:00Z"}], "bugzilla": {"description": "ruby: RCE vulnerability with .rdoc_options in RDoc", "id": "2270749", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270749"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-94", "details": ["An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.", "A flaw was found in Rubygem RDoc. When parsing .rdoc_options used for configuration in RDoc as a YAML file there are no restrictions on the classes that can be restored. This issue may lead to object injection, resulting in remote code execution."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-27281", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ruby", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "ruby", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Not affected", "package_name": "puppet-dns", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "puppet-dns", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "puppet-memcached", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Not affected", "package_name": "puppet-memcached", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Will not fix", "impact": "low", "package_name": "satellite-installer", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Affected", "package_name": "rh-ruby30-ruby", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "ruby", "product_name": "Red Hat Storage 3"}], "public_date": "2024-03-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-27281\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-27281\nhttps://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/"], "statement": "An attacker would need to provide a maliciously crafted configuration file or documentation cache to a user in order to trigger this vulnerability.", "threat_severity": "Moderate", "upstream_fix": "rdoc 6.3.4.1, rdoc 6.4.1.1, rdoc 6.5.1.1"}