9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-27280

GHSA ID

GHSA-v5h6-c2hv-hv3r

EPSS Score

0.84064%

CWE

CWE-120

Published

3/25/2024

Updated

8/7/2024

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-27280

CVE-2024-27280: StringIO buffer overread vulnerability

An issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4.

The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value.

This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x and later.

We recommend to update the StringIO gem to version 3.0.3 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:

For Ruby 3.0 users: Update to stringio 3.0.1.1
For Ruby 3.1 users: Update to stringio 3.1.0.2

You can use gem update stringio to update it. If you are using bundler, please add gem "stringio", ">= 3.0.1.2" to your Gemfile.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-27280

GHSA ID

GHSA-v5h6-c2hv-hv3r

EPSS Score

0.84064%

CWE

CWE-120

Published

3/25/2024

Updated

8/7/2024

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
stringio	rubygems	< 3.0.1.1	3.0.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the buffer management in ungetbyte/ungetc operations. The commit c58c5f5 shows a critical fix in strio_unget_bytes where buffer expansion calculations were incorrect (ex = cl - (rest < 0 ? pos : len) vs original flawed logic). This miscalculation allowed writing beyond the buffer's allocated space. Subsequent gets calls would then read from this corrupted buffer state, exposing memory. The test cases added for ungetc_fill/ungetbyte_fill validate this by testing large unget operations that would trigger buffer expansion.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in Strin*IO *.*.*, *s *istri*ut** in Ru*y *.*.x t*rou** *.*.* *n* *.*.x t*rou** *.*.*. T** `un**t*yt*` *n* `un**t*` m*t*o*s on * Strin*IO **n r*** p*st t** *n* o* * strin*, *n* * su*s*qu*nt **ll to `Strin*IO.**ts` m*y r*turn

Reasoning

T** vuln*r**ility st*ms *rom t** *u***r m*n***m*nt in un**t*yt*/un**t* op*r*tions. T** *ommit ******* s*ows * *riti**l *ix in strio_un**t_*yt*s w**r* *u***r *xp*nsion **l*ul*tions w*r* in*orr**t (*x = *l - (r*st < * ? pos : l*n) vs ori*in*l *l*w** lo

9.8

Basic Information

Concerned about an active attack path?

CVE-2024-27280: StringIO buffer overread vulnerability

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI