FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

ruby -- Arbitrary memory address read vulnerability with Regex search

Affected packages
3.1.0,1 <= ruby < 3.1.5,1
3.2.0,1 <= ruby < 3.2.4,1
3.3.0,1 <= ruby < 3.3.1,1
3.1.0,1 <= ruby31 < 3.1.5,1
3.2.0,1 <= ruby32 < 3.2.4,1
3.3.0,1 <= ruby33 < 3.3.1,1

Details

VuXML ID 2ce1a2f1-0177-11ef-a45e-08002784c58d
Discovery 2024-04-23
Entry 2024-04-23

sp2ip reports:

If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings.

[source]

References

CVE Name CVE-2024-27282
URL https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.