Bug 2270749 (CVE-2024-27281) - CVE-2024-27281 ruby: RCE vulnerability with .rdoc_options in RDoc
Summary: CVE-2024-27281 ruby: RCE vulnerability with .rdoc_options in RDoc
Keywords:
Status: NEW
Alias: CVE-2024-27281
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2276875 2277054 2277055 2280544 2270786 2270787 2270788 2270789 2270790 2270791 2270792 2270793 2270794 2270795 2270796 2270797 2270798 2270799 2270800 2270801 2270802 2270803 2270804 2270805 2270806 2270807 2270808 2270809 2270810 2270811 2270812 2270813 2270814 2270815 2270816 2270817 2270818 2270819 2270820 2270821 2270822 2270823 2270824 2270825 2270826 2270827 2270828 2270829 2270830 2270831 2277049 2277050 2277051 2277052 2277053
Blocks: 2270748
TreeView+ depends on / blocked
 
Reported: 2024-03-21 17:48 UTC by Zack Miele
Modified: 2024-06-20 01:56 UTC (History)
26 users (show)

Fixed In Version: rdoc 6.3.4.1, rdoc 6.4.1.1, rdoc 6.5.1.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Rubygem RDoc. When parsing .rdoc_options used for configuration in RDoc as a YAML file there are no restrictions on the classes that can be restored. This issue may lead to object injection, resulting in remote code execution.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:3540 0 None None None 2024-06-03 01:16:41 UTC
Red Hat Product Errata RHBA-2024:3577 0 None None None 2024-06-04 07:35:34 UTC
Red Hat Product Errata RHBA-2024:3863 0 None None None 2024-06-12 08:23:20 UTC
Red Hat Product Errata RHBA-2024:3987 0 None None None 2024-06-19 13:54:06 UTC
Red Hat Product Errata RHBA-2024:3996 0 None None None 2024-06-20 01:56:03 UTC
Red Hat Product Errata RHSA-2024:3500 0 None None None 2024-05-30 13:12:43 UTC
Red Hat Product Errata RHSA-2024:3546 0 None None None 2024-06-03 07:15:11 UTC
Red Hat Product Errata RHSA-2024:3668 0 None None None 2024-06-06 08:57:15 UTC
Red Hat Product Errata RHSA-2024:3670 0 None None None 2024-06-06 09:23:25 UTC
Red Hat Product Errata RHSA-2024:3671 0 None None None 2024-06-06 09:48:16 UTC
Red Hat Product Errata RHSA-2024:3838 0 None None None 2024-06-11 19:42:27 UTC

Description Zack Miele 2024-03-21 17:48:54 UTC
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0.

When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored.

When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.

Comment 2 Zack Miele 2024-03-21 18:12:28 UTC
Created puppet tracking bugs for this issue:

Affects: epel-8 [bug 2270792]


Created ruby:3.1/rubygem-pg tracking bugs for this issue:

Affects: fedora-38 [bug 2270798]


Created rubygem-ammeter tracking bugs for this issue:

Affects: fedora-all [bug 2270813]


Created rubygem-bcrypt tracking bugs for this issue:

Affects: epel-7 [bug 2270787]


Created rubygem-bcrypt_pbkdf tracking bugs for this issue:

Affects: fedora-all [bug 2270815]


Created rubygem-domain_name tracking bugs for this issue:

Affects: fedora-38 [bug 2270801]


Created rubygem-haml tracking bugs for this issue:

Affects: fedora-all [bug 2270817]


Created rubygem-highline tracking bugs for this issue:

Affects: epel-8 [bug 2270793]


Created rubygem-http-cookie tracking bugs for this issue:

Affects: fedora-all [bug 2270818]


Created rubygem-jquery-rails tracking bugs for this issue:

Affects: fedora-38 [bug 2270803]


Created rubygem-marc tracking bugs for this issue:

Affects: fedora-all [bug 2270819]


Created rubygem-mechanize tracking bugs for this issue:

Affects: fedora-38 [bug 2270805]


Created rubygem-minitest-around tracking bugs for this issue:

Affects: fedora-all [bug 2270820]


Created rubygem-net-http-persistent tracking bugs for this issue:

Affects: fedora-all [bug 2270821]


Created rubygem-pdfkit tracking bugs for this issue:

Affects: fedora-all [bug 2270822]


Created rubygem-pg tracking bugs for this issue:

Affects: fedora-all [bug 2270823]


Created rubygem-power_assert tracking bugs for this issue:

Affects: fedora-all [bug 2270824]


Created rubygem-rest-client tracking bugs for this issue:

Affects: fedora-all [bug 2270825]


Created rubygem-ruby_engine tracking bugs for this issue:

Affects: epel-7 [bug 2270788]
Affects: fedora-all [bug 2270826]


Created rubygem-ruby_version tracking bugs for this issue:

Affects: epel-7 [bug 2270789]
Affects: fedora-38 [bug 2270808]


Created rubygem-shindo tracking bugs for this issue:

Affects: fedora-all [bug 2270827]


Created rubygem-shoulda-context tracking bugs for this issue:

Affects: fedora-all [bug 2270828]


Created rubygem-sinatra tracking bugs for this issue:

Affects: epel-7 [bug 2270790]


Created rubygem-sqlite3 tracking bugs for this issue:

Affects: epel-8 [bug 2270794]
Affects: fedora-38 [bug 2270810]


Created rubygem-stringex tracking bugs for this issue:

Affects: fedora-all [bug 2270829]


Created rubygem-tins tracking bugs for this issue:

Affects: epel-7 [bug 2270791]
Affects: fedora-all [bug 2270830]


Created rubygem-webmock tracking bugs for this issue:

Affects: fedora-all [bug 2270831]


Created whatweb tracking bugs for this issue:

Affects: epel-8 [bug 2270797]
Affects: fedora-all [bug 2270786]

Comment 3 Mamoru TASAKA 2024-03-22 09:34:43 UTC
I don't think this affects generated documents, only rubygem-rdoc is affected if possible.

Comment 4 Vít Ondruch 2024-03-22 09:49:45 UTC
This is the official announcement:

https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/

This is the patch:

https://github.com/ruby/rdoc/commit/33221979e3a6a18de962553b56c396abb5ba3244

And I'd like to elaborate that having `.rdoc_options` file around does not mean the package is vulnerable. It could be in theory, but using upstream sources, the chances are minimal.

Comment 7 Sandipan Roy 2024-04-25 05:03:18 UTC
Created ruby tracking bugs for this issue:

Affects: fedora-38 [bug 2277049]
Affects: fedora-39 [bug 2277051]
Affects: fedora-40 [bug 2277052]


Created ruby:3.1/ruby tracking bugs for this issue:

Affects: fedora-38 [bug 2277050]


Created rubygem-rdoc tracking bugs for this issue:

Affects: fedora-38 [bug 2277053]
Affects: fedora-39 [bug 2277054]
Affects: fedora-40 [bug 2277055]

Comment 10 errata-xmlrpc 2024-05-30 13:12:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3500 https://access.redhat.com/errata/RHSA-2024:3500

Comment 11 errata-xmlrpc 2024-06-03 07:15:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3546 https://access.redhat.com/errata/RHSA-2024:3546

Comment 12 errata-xmlrpc 2024-06-06 08:57:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3668 https://access.redhat.com/errata/RHSA-2024:3668

Comment 13 errata-xmlrpc 2024-06-06 09:23:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3670 https://access.redhat.com/errata/RHSA-2024:3670

Comment 14 errata-xmlrpc 2024-06-06 09:48:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3671 https://access.redhat.com/errata/RHSA-2024:3671

Comment 15 errata-xmlrpc 2024-06-11 19:42:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3838 https://access.redhat.com/errata/RHSA-2024:3838


Note You need to log in before you can comment on or make changes to this bug.