SB2020050439 - Information disclosure in Ruby
Published: May 4, 2020 Updated: July 26, 2020
Security Bulletin ID
SB2020050439
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Information disclosure (CVE-ID: CVE-2020-10933)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to BasicSocket#read_nonblock method outputs previous value of the heap instead of copying the requested data. A remote attacker can gain access to sensitive information on the system.
Remediation
Install update from vendor's website.
References
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F4TNVTT66VPRMX5UZYSDGSVRXKKDDDU5/
- https://security.netapp.com/advisory/ntap-20200625-0001/
- https://www.debian.org/security/2020/dsa-4721
- https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/