|
| 1 | +--- |
| 2 | +layout: advisory |
| 3 | +title: 'CVE-2024-27281 (rdoc): RCE vulnerability with .rdoc_options in RDoc' |
| 4 | +comments: false |
| 5 | +categories: |
| 6 | +- rdoc |
| 7 | +advisory: |
| 8 | + gem: rdoc |
| 9 | + cve: 2024-27281 |
| 10 | + url: https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/ |
| 11 | + title: RCE vulnerability with .rdoc_options in RDoc |
| 12 | + date: 2024-03-21 |
| 13 | + description: | |
| 14 | + An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby |
| 15 | + 3.x through 3.3.0. |
| 16 | +
|
| 17 | + When parsing `.rdoc_options` (used for configuration in RDoc) as a YAML file, |
| 18 | + object injection and resultant remote code execution are possible because |
| 19 | + there are no restrictions on the classes that can be restored. |
| 20 | +
|
| 21 | + When loading the documentation cache, object injection and resultant remote |
| 22 | + code execution are also possible if there were a crafted cache. |
| 23 | +
|
| 24 | + We recommend to update the RDoc gem to version 6.6.3.1 or later. In order to |
| 25 | + ensure compatibility with bundled version in older Ruby series, you may |
| 26 | + update as follows instead: |
| 27 | +
|
| 28 | + * For Ruby 3.0 users: Update to `rdoc` 6.3.4.1 |
| 29 | + * For Ruby 3.1 users: Update to `rdoc` 6.4.1.1 |
| 30 | + * For Ruby 3.2 users: Update to `rdoc` 6.5.1.1 |
| 31 | +
|
| 32 | + You can use `gem update rdoc` to update it. If you are using bundler, please |
| 33 | + add `gem "rdoc", ">= 6.6.3.1"` to your `Gemfile`. |
| 34 | +
|
| 35 | + Note: 6.3.4, 6.4.1, 6.5.1 and 6.6.3 have a incorrect fix. We recommend to |
| 36 | + upgrade 6.3.4.1, 6.4.1.1, 6.5.1.1 and 6.6.3.1 instead of them. |
| 37 | + patched_versions: |
| 38 | + - "~> 6.3.4, >= 6.3.4.1" |
| 39 | + - "~> 6.4.1, >= 6.4.1.1" |
| 40 | + - ">= 6.5.1.1" |
| 41 | +--- |
0 commit comments