Heap Exposure in Ruby Products by Ruby Programming Language
CVE-2020-10933

5.3MEDIUM

Key Information:

Vendor

Ruby-lang

Status
Ruby
Vendor
CVE Published:
4 May 2020

What is CVE-2020-10933?

A vulnerability exists in Ruby versions 2.5.x up to 2.5.7, 2.6.x up to 2.6.5, and 2.7.0 that may expose sensitive data from the interpreter. When invoking the BasicSocket#read_nonblock method with parameters that resize the buffer, the buffer does not copy the new data, instead retaining old data from the heap. This behavior can potentially disclose sensitive information that was previously stored in memory, posing a significant security risk.

References

https://www.ruby-lang.org/en/news/2020/03/31/heap-exposur...
x_refsource_CONFIRM
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA
https://security.netapp.com/advisory/ntap-20200625-0001/
x_refsource_CONFIRM

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.