CVE-2024-27282

Description

An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.

How to fix CVE-2024-27282

To remediate CVE-2024-27282, upgrade the affected package to a fixed version below.

• Alpine/ruby—upgrade to 3.1.5-r0 or later
• —upgrade to 3.1.5 or later
• —upgrade to 3.1.6 or later
• —upgrade to 2.7.4-1+deb11u2 or later
• —upgrade to 3.1.2-7+deb12u1 or later

Is CVE-2024-27282 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• from 0, < 3.1.5-r0
• from 0, < 3.1.5, >= 3.2.0, < 3.2.4, >= 3.3.0, < 3.3.1
• from 0, < 3.1.6, >= 3.2.0, < 3.2.6, >= 3.3.0, < 3.3.7
• from 0, < 2.7.4-1+deb11u2
• from 0, < 3.1.2-7+deb12u1

CVSS scores

References (9)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2024-27282
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-27282
• WEBhackerone.com/reports/2122624
• WEBlists.debian.org/debian-lts-announce/2024/09/msg00000.html