ALPINE-CVE-2020-10933

ALPINE-CVE-2020-10933 PUBLISHED CVSS 5.300000190734863 MEDIUM

An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter.

Risk Scores

CVSS v3.1

5.300000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected Products

Vendor	Product	Versions
Alpine:v3.9	ruby	2.0.0, 2.2.2-r1, 2.2.3-r0
Alpine:v3.21	ruby	0, 0, 0
Alpine:v3.10	ruby	2.0.0, 0, 1.8.7_p160-r2
Alpine:v3.18	ruby	2.0.0, 2.1.5-r1, 2.2.1-r0
Alpine:v3.19	ruby	2.0.0, 2.1.5-r1, 2.2.1-r0
Alpine:v3.23	ruby	0, 0, 0
Alpine:v3.14	ruby	2.4.0-r3, 1.8.7_p160-r2, 1.8.7_p160-r3
Alpine:v3.20	ruby	0, 0, 0
Alpine:v3.11	ruby	1.8.7_p358-r1, 1.8.7_p72-r1, 1.8.7_p72-r2
Alpine:v3.13	ruby	2.6.3-r1, 2.6.5-r2, 2.6.5-r1
Alpine:v3.15	ruby	2.4.0-r3, 2.4.1-r3, 1.8.7_p174-r0
Alpine:v3.22	ruby	0, 0, 0
Alpine:v3.16	ruby	1.8.7_p174-r4, 2.4.0-r3, 2.3.3-r3
Alpine:v3.8	ruby	2.5.7-r0, 2.4.1-r2, 2.4.1-r1
Alpine:v3.12	ruby	2.0.0_p481-r0, 2.5.1-r0, 2.5.0-r1
Alpine:v3.17	ruby	1.8.7_p352-r1, 1.8.7_p358-r1, 1.8.7_p72-r1

Timeline

May 4, 2020 CVE Published
Dec 3, 2025 CVE Updated
Apr 30, 2026 Distribution Patch

References

https://security.alpinelinux.org/vuln/CVE-2020-10933 advisory

Open in Interactive Console →