Alpine: ruby: security update to 3.1.5-r0

critical Tenable Self-Hosted Container Security Plugin ID 408382

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and
3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and
a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however,
for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is
stringio 3.0.1.2. (CVE-2024-27280)

- An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When
parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant
remote code execution are possible because there are no restrictions on the classes that can be restored.
(When loading the documentation cache, object injection and resultant remote code execution are also
possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed
version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed
version is rdoc 6.5.1.1. (CVE-2024-27281)

- An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex
compiler, it is possible to extract arbitrary heap data relative to the start of the text, including
pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1. (CVE-2024-27282)

See Also

https://security.alpinelinux.org/vuln/CVE-2024-27280

https://security.alpinelinux.org/vuln/CVE-2024-27281

https://security.alpinelinux.org/vuln/CVE-2024-27282

Plugin Details

Severity: Critical

ID: 408382

Version: Revision 1.26

Type: Local

Published: 4/25/2024

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.83

CVSS v2

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 4.5

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:P/A:P

CVSS Score Source: CVE-2024-27282

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2024-27280

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 3/25/2024

Reference Information

CVE: CVE-2024-27280, CVE-2024-27281, CVE-2024-27282

IAVA: 2024-A-0328