← Back

CVE-2020-10933

nvd nist
Published: May 4, 2020Modified: Nov 21, 2024

JSON object

Loading...
5.3
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Exploitability: 3.9 / Impact: 1.4
Source: NVD

Description

An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter.

Affected (5)

Ruby Lang
1 product
Ruby
Fedoraproject
1 product
Fedora
Debian
1 product
Debian Linux
Configuration A
3 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Ruby Lang
Ruby
From 2.5.0 to 2.5.7
Ruby
From 2.6.0 to 2.6.5
Ruby
Version 2.7.0
Running on/withPlatform Versions
Linux
Linux Kernel
All versions
Configuration B
1 vulnerable
Vulnerable SoftwareAffected Versions
Fedora
Version 31
Configuration C
1 vulnerable
Vulnerable SoftwareAffected Versions
Debian Linux
Version 10.0

Related CWEs

CWE-908
Use of Uninitialized Resource
The product uses or accesses a resource that has not been initialized.

References (8)

Source: cve@mitre.org
Source: cve@mitre.org
Third Party Advisory
Source: cve@mitre.org
Third Party Advisory
Source: cve@mitre.org
ExploitVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitVendor Advisory

Timeline

No history available yet.