Miggo Logo

CVE-2024-27280: StringIO buffer overread vulnerability

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.84064%
Published
3/25/2024
Updated
8/7/2024
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
stringiorubygems< 3.0.1.13.0.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the buffer management in ungetbyte/ungetc operations. The commit c58c5f5 shows a critical fix in strio_unget_bytes where buffer expansion calculations were incorrect (ex = cl - (rest < 0 ? pos : len) vs original flawed logic). This miscalculation allowed writing beyond the buffer's allocated space. Subsequent gets calls would then read from this corrupted buffer state, exposing memory. The test cases added for ungetc_fill/ungetbyte_fill validate this by testing large unget operations that would trigger buffer expansion.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in Strin*IO *.*.*, *s *istri*ut** in Ru*y *.*.x t*rou** *.*.* *n* *.*.x t*rou** *.*.*. T** `un**t*yt*` *n* `un**t*` m*t*o*s on * Strin*IO **n r*** p*st t** *n* o* * strin*, *n* * su*s*qu*nt **ll to `Strin*IO.**ts` m*y r*turn

Reasoning

T** vuln*r**ility st*ms *rom t** *u***r m*n***m*nt in un**t*yt*/un**t* op*r*tions. T** *ommit ******* s*ows * *riti**l *ix in strio_un**t_*yt*s w**r* *u***r *xp*nsion **l*ul*tions w*r* in*orr**t (*x = *l - (r*st < * ? pos : l*n) vs ori*in*l *l*w** lo