CVE-2020-10933

CVSS v3.1 5.3 (Medium)

CVSS v2.0 5 (Medium)

EPSS 0.65 % (80^th)

Affected Products 4

Advisories 15

An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter.

Weaknesses

CWE-908: Use of Uninitialized Resource

CVE Status: PUBLISHED
CNA: MITRE
Published Date: 2020-05-04 15:15:13
(4 years ago)
Updated Date: 2023-11-07 03:14:25
(10 months ago)

Affected Products

Configuration #1

AND

		CPE23	From	Up To
OR
	Ruby-lang Ruby from 2.5.0 version and 2.5.7 and prior versions	cpe:2.3:a:ruby-lang:ruby	>= 2.5.0	<= 2.5.7
OR
	Running on/with
	Ruby-lang Ruby from 2.6.0 version and 2.6.5 and prior versions	cpe:2.3:a:ruby-lang:ruby	>= 2.6.0	<= 2.6.5
OR
	Running on/with
	Ruby-lang Ruby 2.7.0	cpe:2.3:a:ruby-lang:ruby:2.7.0
OR
	Running on/with
	Linux Kernel	cpe:2.3:o:linux:linux_kernel:-

Configuration #2

		CPE23	From	Up To
	Fedoraproject Fedora 31	cpe:2.3:o:fedoraproject:fedora:31

Configuration #3

		CPE23	From	Up To
	Debian Linux 10.0	cpe:2.3:o:debian:debian_linux:10.0

Weaknesses

Affected Products

Debian

Fedoraproject

Linux

Ruby-lang

Configuration #1

Configuration #2

Configuration #3