|
| 1 | +--- |
| 2 | +gem: rdoc |
| 3 | +cve: 2024-27281 |
| 4 | +url: https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/ |
| 5 | +title: RCE vulnerability with .rdoc_options in RDoc |
| 6 | +date: 2024-03-21 |
| 7 | +description: | |
| 8 | + An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby |
| 9 | + 3.x through 3.3.0. |
| 10 | +
|
| 11 | + When parsing `.rdoc_options` (used for configuration in RDoc) as a YAML file, |
| 12 | + object injection and resultant remote code execution are possible because |
| 13 | + there are no restrictions on the classes that can be restored. |
| 14 | +
|
| 15 | + When loading the documentation cache, object injection and resultant remote |
| 16 | + code execution are also possible if there were a crafted cache. |
| 17 | +
|
| 18 | + We recommend to update the RDoc gem to version 6.6.3.1 or later. In order to |
| 19 | + ensure compatibility with bundled version in older Ruby series, you may |
| 20 | + update as follows instead: |
| 21 | +
|
| 22 | + * For Ruby 3.0 users: Update to `rdoc` 6.3.4.1 |
| 23 | + * For Ruby 3.1 users: Update to `rdoc` 6.4.1.1 |
| 24 | + * For Ruby 3.2 users: Update to `rdoc` 6.5.1.1 |
| 25 | +
|
| 26 | + You can use `gem update rdoc` to update it. If you are using bundler, please |
| 27 | + add `gem "rdoc", ">= 6.6.3.1"` to your `Gemfile`. |
| 28 | +
|
| 29 | + Note: 6.3.4, 6.4.1, 6.5.1 and 6.6.3 have a incorrect fix. We recommend to |
| 30 | + upgrade 6.3.4.1, 6.4.1.1, 6.5.1.1 and 6.6.3.1 instead of them. |
| 31 | +patched_versions: |
| 32 | + - "~> 6.3.4, >= 6.3.4.1" |
| 33 | + - "~> 6.4.1, >= 6.4.1.1" |
| 34 | + - ">= 6.5.1.1" |
0 commit comments