♊️ GemiNews 🗞️
🏡
📰 Articles
🏷️ Tags
🧠 Queries
📈 Graphs
☁️ Stats
💁🏻 Assistant
Demo 1: Embeddings + Recommendation
Demo 2: Bella RAGa
Demo 3: NewRetriever
Demo 4: Assistant function calling
Editing article
Title
Summary
<p>We have released the RDoc gem version 6.3.4.1, 6.4.1.1, 6.5.1.1 and 6.6.3.1 that have a security fix for a RCE vulnerability. This vulnerability has been assigned the CVE identifier <a href="https://www.cve.org/CVERecord?id=CVE-2024-27281">CVE-2024-27281</a>.</p> <h2>Details</h2> <p>An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0.</p> <p>When parsing <code class="language-plaintext highlighter-rouge">.rdoc_options</code> (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored.</p> <p>When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.</p> <h2>Recommended action</h2> <p>We recommend to update the RDoc gem to version 6.6.3.1 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:</p> <ul> <li>For Ruby 3.0 users: Update to <code class="language-plaintext highlighter-rouge">rdoc</code> 6.3.4.1</li> <li>For Ruby 3.1 users: Update to <code class="language-plaintext highlighter-rouge">rdoc</code> 6.4.1.1</li> <li>For Ruby 3.2 users: Update to <code class="language-plaintext highlighter-rouge">rdoc</code> 6.5.1.1</li> </ul> <p>You can use <code class="language-plaintext highlighter-rouge">gem update rdoc</code> to update it. If you are using bundler, please add <code class="language-plaintext highlighter-rouge">gem "rdoc", ">= 6.6.3.1"</code> to your <code class="language-plaintext highlighter-rouge">Gemfile</code>.</p> <p>Note: 6.3.4, 6.4.1, 6.5.1 and 6.6.3 have a incorrect fix. We recommend to upgrade 6.3.4.1, 6.4.1.1, 6.5.1.1 and 6.6.3.1 instead of them.</p> <h2>Affected versions</h2> <ul> <li>Ruby 3.0.6 or lower</li> <li>Ruby 3.1.4 or lower</li> <li>Ruby 3.2.3 or lower</li> <li>Ruby 3.3.0</li> <li>RDoc gem 6.3.3 or lower, 6.4.0 through 6.6.2 without the patch versions (6.3.4, 6.4.1, 6.5.1)</li> </ul> <h2>Credits</h2> <p>Thanks to <a href="https://hackerone.com/ooooooo_q?type=user">ooooooo_q</a> for discovering this issue.</p> <h2>History</h2> <ul> <li>Originally published at 2024-03-21 4:00:00 (UTC)</li> </ul> <p>Posted by hsbt on 21 Mar 2024</p>
Content
Author
Link
Published date
Image url
Feed url
Guid
Hidden blurb
--- !ruby/object:Feedjira::Parser::RSSEntry published: 2024-03-21 04:00:00.000000000 Z carlessian_info: news_filer_version: 2 newspaper: Ruby (EN RSS) macro_region: Technology entry_id: !ruby/object:Feedjira::Parser::GloballyUniqueIdentifier guid: https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/ title: 'CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc' categories: [] summary: |- <p>We have released the RDoc gem version 6.3.4.1, 6.4.1.1, 6.5.1.1 and 6.6.3.1 that have a security fix for a RCE vulnerability. This vulnerability has been assigned the CVE identifier <a href="https://www.cve.org/CVERecord?id=CVE-2024-27281">CVE-2024-27281</a>.</p> <h2>Details</h2> <p>An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0.</p> <p>When parsing <code class="language-plaintext highlighter-rouge">.rdoc_options</code> (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored.</p> <p>When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.</p> <h2>Recommended action</h2> <p>We recommend to update the RDoc gem to version 6.6.3.1 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:</p> <ul> <li>For Ruby 3.0 users: Update to <code class="language-plaintext highlighter-rouge">rdoc</code> 6.3.4.1</li> <li>For Ruby 3.1 users: Update to <code class="language-plaintext highlighter-rouge">rdoc</code> 6.4.1.1</li> <li>For Ruby 3.2 users: Update to <code class="language-plaintext highlighter-rouge">rdoc</code> 6.5.1.1</li> </ul> <p>You can use <code class="language-plaintext highlighter-rouge">gem update rdoc</code> to update it. If you are using bundler, please add <code class="language-plaintext highlighter-rouge">gem "rdoc", ">= 6.6.3.1"</code> to your <code class="language-plaintext highlighter-rouge">Gemfile</code>.</p> <p>Note: 6.3.4, 6.4.1, 6.5.1 and 6.6.3 have a incorrect fix. We recommend to upgrade 6.3.4.1, 6.4.1.1, 6.5.1.1 and 6.6.3.1 instead of them.</p> <h2>Affected versions</h2> <ul> <li>Ruby 3.0.6 or lower</li> <li>Ruby 3.1.4 or lower</li> <li>Ruby 3.2.3 or lower</li> <li>Ruby 3.3.0</li> <li>RDoc gem 6.3.3 or lower, 6.4.0 through 6.6.2 without the patch versions (6.3.4, 6.4.1, 6.5.1)</li> </ul> <h2>Credits</h2> <p>Thanks to <a href="https://hackerone.com/ooooooo_q?type=user">ooooooo_q</a> for discovering this issue.</p> <h2>History</h2> <ul> <li>Originally published at 2024-03-21 4:00:00 (UTC)</li> </ul> <p>Posted by hsbt on 21 Mar 2024</p> rss_fields: - title - url - summary - published - entry_id url: https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/
Language
Active
Ricc internal notes
Imported via /Users/ricc/git/gemini-news-crawler/webapp/db/seeds.d/import-feedjira.rb on 2024-04-03 16:31:19 +0200. Content is EMPTY here. Entried: title,url,summary,published,entry_id. TODO add Newspaper: filename = /Users/ricc/git/gemini-news-crawler/webapp/db/seeds.d/../../../crawler/out/feedjira/Technology/Ruby (EN RSS)/2024-03-21-CVE-2024-27281:_RCE_vulnerability_with_.rdoc_options_in_RDoc-v2.yaml
Ricc source
Show this article
Back to articles