Detections
Analytics

TencentOS Server 3: ruby:3.1 (TSSA-2024:0235)

high Nessus Plugin ID 239145

Synopsis

The remote TencentOS Server 3 host is missing one or more security updates.

Description

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:0235 advisory.

 Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

 CVE-2024-27280:
 A buffer overread flaw was found in rubygem StringIO. The ungetbyte and ungetc methods on a StringIO object can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value.

 CVE-2024-27281:
 A flaw was found in Rubygem RDoc. When parsing .rdoc_options used for configuration in RDoc as a YAML file there are no restrictions on the classes that can be restored. This issue may lead to object injection, resulting in remote code execution.

 CVE-2024-27282:
 A flaw was found in Ruby. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://mirrors.tencent.com/tlinux/errata/tssa-20240235.xml

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27280

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27281

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27282

Plugin Details

Severity: High

ID: 239145

File Name: tencentos_TSSA_2024_0235.nasl

Version: 1.1

Type: local

Published: 6/16/2025

Updated: 6/16/2025

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:tencent:tencentos_server:ruby, cpe:/o:tencent:tencentos_server:3, p-cpe:/a:tencent:tencentos_server:rubygem-pg, p-cpe:/a:tencent:tencentos_server:rubygem-mysql2, p-cpe:/a:tencent:tencentos_server:rubygem-abrt

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/etc/os-release, Host/TencentOS/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 6/3/2024

Vulnerability Publication Date: 6/3/2024