1. Home
  2. Security Advisories
  3. Ruby (Gems)
  4. RUBYSEC:STRINGIO-2024-27280

[RUBYSEC:STRINGIO-2024-27280] Buffer overread vulnerability in StringIO

Severity Critical
Affected Packages 1
Fixed Packages 1
CVEs 1
Info Packages References Vulnerabilities

An issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x
through 3.0.6 and 3.1.x through 3.1.4.

The ungetbyte and ungetc methods on a StringIO can read past the end of a
string, and a subsequent call to StringIO.gets may return the memory value.

This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x
and later.

We recommend to update the StringIO gem to version 3.0.3 or later. In order to
ensure compatibility with bundled version in older Ruby series, you may update
as follows instead:

  • For Ruby 3.0 users: Update to stringio 3.0.1.1
  • For Ruby 3.1 users: Update to stringio 3.0.1.2

You can use gem update stringio to update it. If you are using bundler,
please add gem "stringio", ">= 3.0.1.2" to your Gemfile.

Package Affected Version
pkg:gem/stringio < 3.0.1.1
Package Fixed Version
pkg:gem/stringio >= 3.0.1.1
ID
RUBYSEC:STRINGIO-2024-27280
Severity
critical
URL
https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/
Published
2024-03-21T00:00:00
(5 months ago)
Modified
2024-07-06T12:06:15
(2 months ago)
Rights
RubySec Security Team
Other Advisories
Source # ID Name URL
Security Advisory GHSA-v5h6-c2hv-hv3r https://github.com/advisories/GHSA-v5h6-c2hv-hv3r
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Fixed pkg:gem/stringio stringio >= 3.0.1.1
Affected pkg:gem/stringio stringio < 3.0.1.1
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date