VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-1d77-a3xt-fbcf

Essentials
Severities (31)
References (25)
Severity details (22)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-1d77-a3xt-fbcf
Aliases	CVE-2024-27280 GHSA-v5h6-c2hv-hv3r
Summary	StringIO buffer overread vulnerability An issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The `ungetbyte` and `ungetc` methods on a StringIO can read past the end of a string, and a subsequent call to `StringIO.gets` may return the memory value. This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x and later. We recommend to update the StringIO gem to version 3.0.3 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead: * For Ruby 3.0 users: Update to `stringio` 3.0.1.1 * For Ruby 3.1 users: Update to `stringio` 3.1.0.2 You can use `gem update stringio` to update it. If you are using bundler, please add `gem "stringio", ">= 3.0.1.2"` to your `Gemfile`.
Status	Published
Exploitability	0.5
Weighted Severity	9.0
Risk	4.5
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-126	Buffer Over-read
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	3.1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27280.json
epss	0.01181	https://api.first.org/data/v1/epss?cve=CVE-2024-27280
epss	0.02308	https://api.first.org/data/v1/epss?cve=CVE-2024-27280
epss	0.02308	https://api.first.org/data/v1/epss?cve=CVE-2024-27280
epss	0.02308	https://api.first.org/data/v1/epss?cve=CVE-2024-27280
epss	0.02308	https://api.first.org/data/v1/epss?cve=CVE-2024-27280
epss	0.02308	https://api.first.org/data/v1/epss?cve=CVE-2024-27280
epss	0.02308	https://api.first.org/data/v1/epss?cve=CVE-2024-27280
epss	0.02308	https://api.first.org/data/v1/epss?cve=CVE-2024-27280
cvssv3.1	3.1	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	CRITICAL	https://github.com/advisories/GHSA-v5h6-c2hv-hv3r
cvssv3.1	9.8	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/stringio/CVE-2024-27280.yml
generic_textual	CRITICAL	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/stringio/CVE-2024-27280.yml
cvssv3.1	9.8	https://github.com/ruby/stringio
generic_textual	CRITICAL	https://github.com/ruby/stringio
cvssv3.1	9.8	https://github.com/ruby/stringio/commit/0e596524097706263d10900ca180898e4a8f5233
generic_textual	CRITICAL	https://github.com/ruby/stringio/commit/0e596524097706263d10900ca180898e4a8f5233
cvssv3.1	9.8	https://github.com/ruby/stringio/commit/c58c5f54f1eab99665ea6a161d29ff6a7490afc8
generic_textual	CRITICAL	https://github.com/ruby/stringio/commit/c58c5f54f1eab99665ea6a161d29ff6a7490afc8
cvssv3.1	9.8	https://hackerone.com/reports/1399856
generic_textual	CRITICAL	https://hackerone.com/reports/1399856
ssvc	Track	https://hackerone.com/reports/1399856
cvssv3.1	9.8	https://nvd.nist.gov/vuln/detail/CVE-2024-27280
generic_textual	CRITICAL	https://nvd.nist.gov/vuln/detail/CVE-2024-27280
cvssv3.1	9.8	https://security.netapp.com/advisory/ntap-20250502-0003
generic_textual	CRITICAL	https://security.netapp.com/advisory/ntap-20250502-0003
cvssv3.1	9.8	https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280
generic_textual	CRITICAL	https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280
cvssv3	9.8	https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/
cvssv3.1	9.8	https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/
ssvc	Track	https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27280.json
		https://api.first.org/data/v1/epss?cve=CVE-2024-27280
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27280
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/stringio/CVE-2024-27280.yml
		https://github.com/ruby/stringio
		https://github.com/ruby/stringio/commit/0e596524097706263d10900ca180898e4a8f5233
		https://github.com/ruby/stringio/commit/c58c5f54f1eab99665ea6a161d29ff6a7490afc8
		https://hackerone.com/reports/1399856
		https://nvd.nist.gov/vuln/detail/CVE-2024-27280
		https://security.netapp.com/advisory/ntap-20250502-0003
		https://security.netapp.com/advisory/ntap-20250502-0003/
		https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280
		https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/
1069966		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069966
2270750		https://bugzilla.redhat.com/show_bug.cgi?id=2270750
GHSA-v5h6-c2hv-hv3r		https://github.com/advisories/GHSA-v5h6-c2hv-hv3r
RHSA-2024:3500		https://access.redhat.com/errata/RHSA-2024:3500
RHSA-2024:3546		https://access.redhat.com/errata/RHSA-2024:3546
RHSA-2024:3668		https://access.redhat.com/errata/RHSA-2024:3668
RHSA-2024:3670		https://access.redhat.com/errata/RHSA-2024:3670
RHSA-2024:3671		https://access.redhat.com/errata/RHSA-2024:3671
RHSA-2024:3838		https://access.redhat.com/errata/RHSA-2024:3838
RHSA-2024:4499		https://access.redhat.com/errata/RHSA-2024:4499
USN-6853-1		https://usn.ubuntu.com/6853-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27280.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/stringio/CVE-2024-27280.yml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/ruby/stringio

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/ruby/stringio/commit/0e596524097706263d10900ca180898e4a8f5233

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/ruby/stringio/commit/c58c5f54f1eab99665ea6a161d29ff6a7490afc8

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://hackerone.com/reports/1399856

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-05-09T18:08:05Z/ Found at https://hackerone.com/reports/1399856

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-27280

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.netapp.com/advisory/ntap-20250502-0003

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-05-09T18:08:05Z/ Found at https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/

Exploit Prediction Scoring System (EPSS)

Percentile	0.77828
EPSS Score	0.01181
Published At	July 4, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-01T12:10:21.864281+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-v5h6-c2hv-hv3r/GHSA-v5h6-c2hv-hv3r.json	36.1.3