VDB
BIT-ruby-min-2024-27282
BIT-ruby-min-2024-27282
PUBLISHED
CVSS 6.599999904632568 MEDIUM
An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.
Risk Scores
CVSS v3.1
6.599999904632568
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | ruby-min | 0, 3.2.0, 3.3.0 |
Timeline
- Jan 27, 2025 CVE Published
- Nov 6, 2025 CVE Updated
References
- https://hackerone.com/reports/2122624 url
- https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/ url
- https://security.netapp.com/advisory/ntap-20241011-0007/ url
- https://nvd.nist.gov/vuln/detail/CVE-2024-27282 url
- https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html url
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/ url
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XYDHPHEZI7OQXTQKTDZHGZNPIJH7ZV5N/ url