Search for vulnerabilities
Vulnerability details: VCID-5bdv-rt41-xyfx
Vulnerability ID VCID-5bdv-rt41-xyfx
Aliases CVE-2024-27282
Summary An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.
Status Published
Exploitability 0.5
Weighted Severity 5.9
Risk 3.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-125 Out-of-bounds Read
System Score Found at
cvssv3 6.6 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27282.json
epss 0.00234 https://api.first.org/data/v1/epss?cve=CVE-2024-27282
epss 0.00405 https://api.first.org/data/v1/epss?cve=CVE-2024-27282
epss 0.00405 https://api.first.org/data/v1/epss?cve=CVE-2024-27282
epss 0.00405 https://api.first.org/data/v1/epss?cve=CVE-2024-27282
epss 0.00405 https://api.first.org/data/v1/epss?cve=CVE-2024-27282
epss 0.00405 https://api.first.org/data/v1/epss?cve=CVE-2024-27282
epss 0.00405 https://api.first.org/data/v1/epss?cve=CVE-2024-27282
epss 0.00489 https://api.first.org/data/v1/epss?cve=CVE-2024-27282
cvssv3.1 5.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 6.6 https://hackerone.com/reports/2122624
ssvc Track https://hackerone.com/reports/2122624
cvssv3.1 6.6 https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/
ssvc Track https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27282.json
https://api.first.org/data/v1/epss?cve=CVE-2024-27282
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27282
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://hackerone.com/reports/2122624
https://security.netapp.com/advisory/ntap-20241011-0007/
https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/
1069968 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069968
2276810 https://bugzilla.redhat.com/show_bug.cgi?id=2276810
CVE-2024-27282 https://nvd.nist.gov/vuln/detail/CVE-2024-27282
RHSA-2024:3500 https://access.redhat.com/errata/RHSA-2024:3500
RHSA-2024:3546 https://access.redhat.com/errata/RHSA-2024:3546
RHSA-2024:3668 https://access.redhat.com/errata/RHSA-2024:3668
RHSA-2024:3670 https://access.redhat.com/errata/RHSA-2024:3670
RHSA-2024:3671 https://access.redhat.com/errata/RHSA-2024:3671
RHSA-2024:3838 https://access.redhat.com/errata/RHSA-2024:3838
RHSA-2024:4499 https://access.redhat.com/errata/RHSA-2024:4499
USN-6838-1 https://usn.ubuntu.com/6838-1/
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27282.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L Found at https://hackerone.com/reports/2122624
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-23T18:26:58Z/ Found at https://hackerone.com/reports/2122624
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L Found at https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-23T18:26:58Z/ Found at https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/
Exploit Prediction Scoring System (EPSS)
Percentile 0.46251
EPSS Score 0.00234
Published At July 4, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:14:03.421407+00:00 Ubuntu USN Importer Import https://usn.ubuntu.com/6838-1/ 36.1.3