CVE-2024-27281: Critical Vulnerability Patched in Popular Ruby Documentation Tool

The Ruby development team has released an urgent security patch for a critical vulnerability found in RDoc, a widely used Ruby documentation generator. The vulnerability tracked as CVE-2024-27281, could allow attackers to execute arbitrary code remotely on systems using affected versions of RDoc.

The Nature of the CVE-2024-27281 Vulnerability

• Improper YAML Handling: The flaw stems from RDoc’s unrestricted handling of YAML files (specifically .rdoc_options configuration files). Attackers could inject malicious code into these files leading to the loading and execution of unauthorized code.
• Double Danger: The vulnerability also affects how RDoc loads documentation caches. If a specially crafted cache could be introduced, it could trigger the same remote code execution exploit.

Who’s Affected?

• Ruby Users: Any developer or system running the following are at risk:
  • Ruby versions 3.0.6, 3.1.4, 3.2.3, or 3.3.0
  • RDoc gem versions 6.3.3, 6.4.0 through 6.6.2 (excluding the latest patch versions)
• Wide Exposure: Since RDoc is a standard tool included in many Ruby installations, a large number of systems could be potentially vulnerable.

What You Should Do

1. Update Immediately: Upgrade to the patched versions of RDoc released by the Ruby team:
   • Ruby 3.0: Update to rdoc 6.3.4.1
   • Ruby 3.1: Update to rdoc 6.4.1.1
   • Ruby 3.2: Update to rdoc 6.5.1.1
   • General update: Update to rdoc 6.6.3.1 or later
2. Bundler Users: If you use the Bundler dependency manager, update your Gemfile with gem "rdoc", ">= 6.6.3.1".

Key Takeaways

• The Risk of Configuration Files: This vulnerability highlights the dangers of insecurely handling configuration files, even for seemingly benign tools.
• Supply Chain Scrutiny: It’s crucial to stay up-to-date on security advisories for all libraries and tools in your development stack, as they can be targets for attacks.

Additional Notes:

The initial patches for versions 6.3.4, 6.4.1, 6.5.1, and 6.6.3 contained an error. It’s strongly recommended to use only the latest versions (6.3.4.1, 6.4.1.1, 6.5.1.1, and 6.6.3.1) to ensure your system’s security.