ALPINE-CVE-2024-27282

ALPINE-CVE-2024-27282 PUBLISHED CVSS 6.599999904632568 MEDIUM

An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.

Risk Scores

CVSS v3.1

6.599999904632568

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

Affected Products

Vendor	Product	Versions
Alpine:v3.21	ruby	0, 0, 0
Alpine:v3.19	ruby	2.7.3-r1, 2.7.3-r0, 2.7.2-r4
Alpine:v3.22	ruby	0, 0, 0
Alpine:v3.17	ruby	2.5.1-r0, 2.5.0-r0, 2.4.3-r0
Alpine:v3.20	ruby	0, 0, 0
Alpine:v3.23	ruby	0, 0, 0
Alpine:v3.16	ruby	2.6.5-r1, 2.1.5-r1, 2.2.2-r0
Alpine:v3.18	ruby	1.8.7_p72-r1, 1.8.7_p72-r2, 1.9.3_p194-r0

Timeline

May 14, 2024 CVE Published
Dec 3, 2025 CVE Updated
Apr 30, 2026 Distribution Patch

References

https://security.alpinelinux.org/vuln/CVE-2024-27282 advisory

Open in Interactive Console →