Double Free Vulnerability in Ruby Regexp Compiler by Ruby
CVE-2022-28738

9.8CRITICAL

Key Information:

Vendor: Ruby-lang
Status: Ruby
Vendor: CVE Published:; 9 May 2022

What is CVE-2022-28738?

A vulnerability exists in the Regexp compiler of Ruby versions prior to 3.0.4 and 3.1.2 that allows attackers to exploit double free errors. When an attacker provides untrusted user input, they may manipulate the Regexp creation process, resulting in the potential for writing to unexpected memory locations. This poses a significant risk for applications relying on Ruby's regex capabilities, making it crucial for developers to update affected versions promptly.

References

https://hackerone.com/reports/1220911

https://www.ruby-lang.org/en/news/2022/04/12/double-free-...

https://security-tracker.debian.org/tracker/CVE-2022-28738

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 9, 2022
Vulnerability Reserved
Apr 6, 2022

Ruby-lang

What is CVE-2022-28738?

References

CVSS V3.1

Timeline