From 9077cff27e2a5ed78b0a5beb255db4c480847032 Mon Sep 17 00:00:00 2001 From: Postmodern Date: Sun, 24 Mar 2024 17:46:36 -0700 Subject: [PATCH] Added CVE-2024-27281 for the rdoc gem (issue #769). --- gems/rdoc/CVE-2024-27281.yml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 gems/rdoc/CVE-2024-27281.yml diff --git a/gems/rdoc/CVE-2024-27281.yml b/gems/rdoc/CVE-2024-27281.yml new file mode 100644 index 0000000000..91d6dbe56e --- /dev/null +++ b/gems/rdoc/CVE-2024-27281.yml @@ -0,0 +1,34 @@ +--- +gem: rdoc +cve: 2024-27281 +url: https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/ +title: RCE vulnerability with .rdoc_options in RDoc +date: 2024-03-21 +description: | + An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby + 3.x through 3.3.0. + + When parsing `.rdoc_options` (used for configuration in RDoc) as a YAML file, + object injection and resultant remote code execution are possible because + there are no restrictions on the classes that can be restored. + + When loading the documentation cache, object injection and resultant remote + code execution are also possible if there were a crafted cache. + + We recommend to update the RDoc gem to version 6.6.3.1 or later. In order to + ensure compatibility with bundled version in older Ruby series, you may + update as follows instead: + + * For Ruby 3.0 users: Update to `rdoc` 6.3.4.1 + * For Ruby 3.1 users: Update to `rdoc` 6.4.1.1 + * For Ruby 3.2 users: Update to `rdoc` 6.5.1.1 + + You can use `gem update rdoc` to update it. If you are using bundler, please + add `gem "rdoc", ">= 6.6.3.1"` to your `Gemfile`. + + Note: 6.3.4, 6.4.1, 6.5.1 and 6.6.3 have a incorrect fix. We recommend to + upgrade 6.3.4.1, 6.4.1.1, 6.5.1.1 and 6.6.3.1 instead of them. +patched_versions: + - "~> 6.3.4, >= 6.3.4.1" + - "~> 6.4.1, >= 6.4.1.1" + - ">= 6.5.1.1"