Merge branch 'CVE-2024-27281-rdoc'

Author: hsbt

en/news/_posts/2024-03-21-rce-rdoc-cve-2024-27281.md

@@ -0,0 +1,46 @@
+---
+layout: news_post
+title: "CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc"
+author: "hsbt"
+translator:
+date: 2023-03-21 11:00:00 +0000
+tags: security
+lang: en
+---
+
+We have released the RDoc gem version 6.3.4, 6.4.1, 6.5.1 and 6.6.3 that have a security fix for a RCE vulnerability.
+This vulnerability has been assigned the CVE identifier [CVE-2024-27281](https://www.cve.org/CVERecord?id=CVE-2024-27281).
+
+## Details
+
+An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0.
+
+When parsing `.rdoc_options` (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored.
+
+When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.
+
+## Recommended action
+
+We recommend to update the RDoc gem to version 6.6.3 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:
+
+* For Ruby 3.0 users: Update to `rdoc` 6.3.4
+* For Ruby 3.1 users: Update to `time` 6.4.1
+* For Ruby 3.2 users: Update to `time` 6.5.1
+
+You can use `gem update rdoc` to update it. If you are using bundler, please add `gem "rdoc", ">= 6.6.3"` to your `Gemfile`.
+
+## Affected versions
+
+* Ruby 3.0.6 or lower
+* Ruby 3.1.4 or lower
+* Ruby 3.2.3 or lower
+* Ruby 3.3.0
+* RDoc gem 6.3.3 or lower, 6.4.0 through 6.6.2 without the patch versions (6.3.4, 6.4.1, 6.5.1, 6.6.3)
+
+## Credits
+
+Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q?type=user) for discovering this issue.
+
+## History
+
+* Originally published at 2024-03-31 11:00:00 (UTC)