YAML Object Injection and Remote Code Execution in RDoc by Ruby
CVE-2024-27281

4.5MEDIUM

Key Information:

Vendor: Ruby
Vendor: CVE Published:; 14 May 2024

What is CVE-2024-27281?

An issue exists in RDoc versions 6.3.3 through 6.6.2, which is included in Ruby versions 3.x up to 3.3.0. The vulnerability arises when .rdoc_options files are parsed as YAML without restrictions, leading to potential object injection. This lack of validation can enable attackers to execute remote code, particularly during the loading of the documentation cache, which may contain crafted content. The issue is addressed in RDoc version 6.6.3.1, with specific fixes for Ruby 3.0 (version 6.3.4.1), Ruby 3.1 (version 6.4.1.1), and Ruby 3.2 (version 6.5.1.1). It is crucial for users to update to the fixed versions to mitigate this security risk.

References

https://hackerone.com/reports/1187477

https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve...

CVSS V3.1

Score:

4.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2024

JSON