#VU87692 Input validation error in RDoc - CVE-2024-27281

Cybersecurity Help s.r.o.

Published: 2024-03-21

Vulnerability identifier: #VU87692

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-27281

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
RDoc
Web applications / Modules and components for CMS

Vendor: Ruby

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient validation of user-supplied input when parsing .rdoc_options as a YAML file. A remote attacker can pass specially crafted input to the application and execute arbitrary code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

RDoc: 6.3.0 - 6.6.3

External links
https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Anolis OS update for ruby:3.3 module

Anolis OS update for ruby:2.5 module

Anolis OS update for ruby:3.0 module

Ubuntu update for ruby2.3

Multiple vulnerabilities in Dell OpenManage Network Integration (OMNI)

Red Hat Enterprise Linux 8 update for ruby module

Multiple vulnerabilities in IBM Cloud Pak for AIOps

Debian update for ruby3.1

Gentoo update for RDoc

Ubuntu update for ruby2.7