{ "threat_severity" : "Moderate", "public_date" : "2024-03-21T00:00:00Z", "bugzilla" : { "description" : "ruby: Buffer overread vulnerability in StringIO", "id" : "2270750", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2270750" }, "cvss3" : { "cvss3_base_score" : "3.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-126", "details" : [ "A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2.", "A buffer overread flaw was found in rubygem StringIO. The ungetbyte and ungetc methods on a StringIO object can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-05-30T00:00:00Z", "advisory" : "RHSA-2024:3500", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "ruby:3.0-8100020240522072634.489197e6" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-06-03T00:00:00Z", "advisory" : "RHSA-2024:3546", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "ruby:3.1-8100020240510101534.489197e6" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-06-06T00:00:00Z", "advisory" : "RHSA-2024:3670", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "ruby:3.3-8100020240522151542.489197e6" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-07-11T00:00:00Z", "advisory" : "RHSA-2024:4499", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "ruby:2.5-8100020240627152904.489197e6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-06-06T00:00:00Z", "advisory" : "RHSA-2024:3668", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "ruby:3.1-9040020240503183840.9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-06-06T00:00:00Z", "advisory" : "RHSA-2024:3671", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "ruby:3.3-9040020240522171337.9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-06-11T00:00:00Z", "advisory" : "RHSA-2024:3838", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "ruby-0:3.0.7-162.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "ruby", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "ruby", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "ruby", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "fix_state" : "Not affected", "package_name" : "puppet-memcached", "cpe" : "cpe:/a:redhat:openstack:16.2" }, { "product_name" : "Red Hat OpenStack Platform 17.1", "fix_state" : "Not affected", "package_name" : "puppet-memcached", "cpe" : "cpe:/a:redhat:openstack:17.1" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "satellite-installer", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Out of support scope", "package_name" : "ruby", "cpe" : "cpe:/a:redhat:storage:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-27280\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-27280\nhttps://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/" ], "name" : "CVE-2024-27280", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }