DNA View

Critical Severity Vulnerability

This vulnerability has been rated as Critical severity. Immediate action is recommended.

CVE-2024-27280

Critical

Low Medium High Critical

9.8

CVSS Score

Published: May 14, 2024

Last Modified: Nov 04, 2025

CWE: CWE-120

Vulnerability Description

A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2.

CVSS Metrics

Common Vulnerability Scoring System

Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Available Security Patches

1 patch available from vendors

View All Patches

Oracle

CPUJAN2025

Oracle Critical Patch Update Advisory - January 2025

Severity

Critical

Released

Jan 21, 2025

Restart Required

Security Update

View Details Vendor Page

Browse All Security Patches

References & Resources

Severity Details

9.8

out of 10.0

Critical

Weakness Type (CWE)

CWE-120 Top 25 #18

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Description: The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Exploit Likelihood: High
Typical Severity: High
Abstraction Level: Base