Details of VAR-202204-0855

ID

VAR-202204-0855

CVE

CVE-2022-28739

TITLE

Ruby Buffer error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202204-3369

DESCRIPTION

There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f. Bug Fix(es): * ruby 3.0: User-installed rubygems plugins are not being loaded [RHEL8] (BZ#2110981) 4. ========================================================================= Ubuntu Security Notice USN-5462-1 June 06, 2022 ruby2.5, ruby2.7, ruby3.0 vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 21.10 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in Ruby. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-28738) It was discovered that Ruby incorrectly handled certain inputs. An attacker could possibly use this issue to expose sensitive information. (CVE-2022-28739) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: libruby3.0 3.0.2-7ubuntu2.1 ruby3.0 3.0.2-7ubuntu2.1 Ubuntu 21.10: libruby2.7 2.7.4-1ubuntu3.2 ruby2.7 2.7.4-1ubuntu3.2 Ubuntu 20.04 LTS: libruby2.7 2.7.0-5ubuntu1.7 ruby2.7 2.7.0-5ubuntu1.7 Ubuntu 18.04 LTS: libruby2.5 2.5.1-1ubuntu1.12 ruby2.5 2.5.1-1ubuntu1.12 In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2022-10-27-8 Additional information for APPLE-SA-2022-10-24-4 macOS Big Sur 11.7.1 macOS Big Sur 11.7.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213493. AppleMobileFileIntegrity Available for: macOS Big Sur Impact: An app may be able to modify protected parts of the file system Description: This issue was addressed by removing additional entitlements. CVE-2022-42825: Mickey Jin (@patch1t) Audio Available for: macOS Big Sur Impact: Parsing a maliciously crafted audio file may lead to disclosure of user information Description: The issue was addressed with improved memory handling. CVE-2022-42798: Anonymous working with Trend Micro Zero Day Initiative Entry added October 27, 2022 Kernel Available for: macOS Big Sur Impact: An app may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2022-32944: Tim Michaud (@TimGMichaud) of Moveworks.ai Entry added October 27, 2022 ppp Available for: macOS Big Sur Impact: A buffer overflow may result in arbitrary code execution Description: The issue was addressed with improved bounds checks. CVE-2022-32941: an anonymous researcher Entry added October 27, 2022 Ruby Available for: macOS Big Sur Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: A memory corruption issue was addressed by updating Ruby to version 2.6.10. CVE-2022-28739 Sandbox Available for: macOS Big Sur Impact: An app with root privileges may be able to access private information Description: This issue was addressed with improved data protection. CVE-2022-32862: an anonymous researcher zlib Available for: macOS Big Sur Impact: A user may be able to cause unexpected app termination or arbitrary code execution Description: This issue was addressed with improved checks. CVE-2022-37434: Evgeny Legerov CVE-2022-42800: Evgeny Legerov Entry added October 27, 2022 macOS Big Sur 11.7.1 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. CVE-2022-32862: an anonymous researcher Additional recognition Calendar We would like to acknowledge an anonymous researcher for their assistance. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: ruby:2.6 security, bug fix, and enhancement update Advisory ID: RHSA-2022:5338-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:5338 Issue date: 2022-06-28 CVE Names: CVE-2022-28739 ==================================================================== 1. Summary: An update for the ruby:2.6 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. The following packages have been upgraded to a later upstream version: ruby (2.6.10). (BZ#2089374) Security Fix(es): * Ruby: Buffer overrun in String-to-Float conversion (CVE-2022-28739) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2075687 - CVE-2022-28739 Ruby: Buffer overrun in String-to-Float conversion 2089374 - ruby:2.6/ruby: Rebase to the latest Ruby 2.6 point release [rhel-8] [rhel-8.6.0.z] 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: ruby-2.6.10-109.module+el8.6.0+15475+c55337b4.src.rpm rubygem-abrt-0.3.0-4.module+el8.1.0+3653+beb38eb0.src.rpm rubygem-bson-4.5.0-1.module+el8.1.0+3653+beb38eb0.src.rpm rubygem-mongo-2.8.0-1.module+el8.1.0+3653+beb38eb0.src.rpm rubygem-mysql2-0.5.2-1.module+el8.1.0+3653+beb38eb0.src.rpm rubygem-pg-1.1.4-1.module+el8.1.0+3653+beb38eb0.src.rpm aarch64: ruby-2.6.10-109.module+el8.6.0+15475+c55337b4.aarch64.rpm ruby-debuginfo-2.6.10-109.module+el8.6.0+15475+c55337b4.aarch64.rpm ruby-debugsource-2.6.10-109.module+el8.6.0+15475+c55337b4.aarch64.rpm ruby-devel-2.6.10-109.module+el8.6.0+15475+c55337b4.aarch64.rpm ruby-libs-2.6.10-109.module+el8.6.0+15475+c55337b4.aarch64.rpm ruby-libs-debuginfo-2.6.10-109.module+el8.6.0+15475+c55337b4.aarch64.rpm rubygem-bigdecimal-1.4.1-109.module+el8.6.0+15475+c55337b4.aarch64.rpm rubygem-bigdecimal-debuginfo-1.4.1-109.module+el8.6.0+15475+c55337b4.aarch64.rpm rubygem-bson-4.5.0-1.module+el8.1.0+3653+beb38eb0.aarch64.rpm rubygem-bson-debuginfo-4.5.0-1.module+el8.1.0+3653+beb38eb0.aarch64.rpm rubygem-bson-debugsource-4.5.0-1.module+el8.1.0+3653+beb38eb0.aarch64.rpm rubygem-io-console-0.4.7-109.module+el8.6.0+15475+c55337b4.aarch64.rpm rubygem-io-console-debuginfo-0.4.7-109.module+el8.6.0+15475+c55337b4.aarch64.rpm rubygem-json-2.1.0-109.module+el8.6.0+15475+c55337b4.aarch64.rpm rubygem-json-debuginfo-2.1.0-109.module+el8.6.0+15475+c55337b4.aarch64.rpm rubygem-mysql2-0.5.2-1.module+el8.1.0+3653+beb38eb0.aarch64.rpm rubygem-mysql2-debuginfo-0.5.2-1.module+el8.1.0+3653+beb38eb0.aarch64.rpm rubygem-mysql2-debugsource-0.5.2-1.module+el8.1.0+3653+beb38eb0.aarch64.rpm rubygem-openssl-2.1.2-109.module+el8.6.0+15475+c55337b4.aarch64.rpm rubygem-openssl-debuginfo-2.1.2-109.module+el8.6.0+15475+c55337b4.aarch64.rpm rubygem-pg-1.1.4-1.module+el8.1.0+3653+beb38eb0.aarch64.rpm rubygem-pg-debuginfo-1.1.4-1.module+el8.1.0+3653+beb38eb0.aarch64.rpm rubygem-pg-debugsource-1.1.4-1.module+el8.1.0+3653+beb38eb0.aarch64.rpm rubygem-psych-3.1.0-109.module+el8.6.0+15475+c55337b4.aarch64.rpm rubygem-psych-debuginfo-3.1.0-109.module+el8.6.0+15475+c55337b4.aarch64.rpm noarch: ruby-doc-2.6.10-109.module+el8.6.0+15475+c55337b4.noarch.rpm rubygem-abrt-0.3.0-4.module+el8.1.0+3653+beb38eb0.noarch.rpm rubygem-abrt-doc-0.3.0-4.module+el8.1.0+3653+beb38eb0.noarch.rpm rubygem-bson-doc-4.5.0-1.module+el8.1.0+3653+beb38eb0.noarch.rpm rubygem-bundler-1.17.2-109.module+el8.6.0+15475+c55337b4.noarch.rpm rubygem-did_you_mean-1.3.0-109.module+el8.6.0+15475+c55337b4.noarch.rpm rubygem-irb-1.0.0-109.module+el8.6.0+15475+c55337b4.noarch.rpm rubygem-minitest-5.11.3-109.module+el8.6.0+15475+c55337b4.noarch.rpm rubygem-mongo-2.8.0-1.module+el8.1.0+3653+beb38eb0.noarch.rpm rubygem-mongo-doc-2.8.0-1.module+el8.1.0+3653+beb38eb0.noarch.rpm rubygem-mysql2-doc-0.5.2-1.module+el8.1.0+3653+beb38eb0.noarch.rpm rubygem-net-telnet-0.2.0-109.module+el8.6.0+15475+c55337b4.noarch.rpm rubygem-pg-doc-1.1.4-1.module+el8.1.0+3653+beb38eb0.noarch.rpm rubygem-power_assert-1.1.3-109.module+el8.6.0+15475+c55337b4.noarch.rpm rubygem-rake-12.3.3-109.module+el8.6.0+15475+c55337b4.noarch.rpm rubygem-rdoc-6.1.2.1-109.module+el8.6.0+15475+c55337b4.noarch.rpm rubygem-test-unit-3.2.9-109.module+el8.6.0+15475+c55337b4.noarch.rpm rubygem-xmlrpc-0.3.0-109.module+el8.6.0+15475+c55337b4.noarch.rpm rubygems-3.0.3.1-109.module+el8.6.0+15475+c55337b4.noarch.rpm rubygems-devel-3.0.3.1-109.module+el8.6.0+15475+c55337b4.noarch.rpm ppc64le: ruby-2.6.10-109.module+el8.6.0+15475+c55337b4.ppc64le.rpm ruby-debuginfo-2.6.10-109.module+el8.6.0+15475+c55337b4.ppc64le.rpm ruby-debugsource-2.6.10-109.module+el8.6.0+15475+c55337b4.ppc64le.rpm ruby-devel-2.6.10-109.module+el8.6.0+15475+c55337b4.ppc64le.rpm ruby-libs-2.6.10-109.module+el8.6.0+15475+c55337b4.ppc64le.rpm ruby-libs-debuginfo-2.6.10-109.module+el8.6.0+15475+c55337b4.ppc64le.rpm rubygem-bigdecimal-1.4.1-109.module+el8.6.0+15475+c55337b4.ppc64le.rpm rubygem-bigdecimal-debuginfo-1.4.1-109.module+el8.6.0+15475+c55337b4.ppc64le.rpm rubygem-bson-4.5.0-1.module+el8.1.0+3653+beb38eb0.ppc64le.rpm rubygem-bson-debuginfo-4.5.0-1.module+el8.1.0+3653+beb38eb0.ppc64le.rpm rubygem-bson-debugsource-4.5.0-1.module+el8.1.0+3653+beb38eb0.ppc64le.rpm rubygem-io-console-0.4.7-109.module+el8.6.0+15475+c55337b4.ppc64le.rpm rubygem-io-console-debuginfo-0.4.7-109.module+el8.6.0+15475+c55337b4.ppc64le.rpm rubygem-json-2.1.0-109.module+el8.6.0+15475+c55337b4.ppc64le.rpm rubygem-json-debuginfo-2.1.0-109.module+el8.6.0+15475+c55337b4.ppc64le.rpm rubygem-mysql2-0.5.2-1.module+el8.1.0+3653+beb38eb0.ppc64le.rpm rubygem-mysql2-debuginfo-0.5.2-1.module+el8.1.0+3653+beb38eb0.ppc64le.rpm rubygem-mysql2-debugsource-0.5.2-1.module+el8.1.0+3653+beb38eb0.ppc64le.rpm rubygem-openssl-2.1.2-109.module+el8.6.0+15475+c55337b4.ppc64le.rpm rubygem-openssl-debuginfo-2.1.2-109.module+el8.6.0+15475+c55337b4.ppc64le.rpm rubygem-pg-1.1.4-1.module+el8.1.0+3653+beb38eb0.ppc64le.rpm rubygem-pg-debuginfo-1.1.4-1.module+el8.1.0+3653+beb38eb0.ppc64le.rpm rubygem-pg-debugsource-1.1.4-1.module+el8.1.0+3653+beb38eb0.ppc64le.rpm rubygem-psych-3.1.0-109.module+el8.6.0+15475+c55337b4.ppc64le.rpm rubygem-psych-debuginfo-3.1.0-109.module+el8.6.0+15475+c55337b4.ppc64le.rpm s390x: ruby-2.6.10-109.module+el8.6.0+15475+c55337b4.s390x.rpm ruby-debuginfo-2.6.10-109.module+el8.6.0+15475+c55337b4.s390x.rpm ruby-debugsource-2.6.10-109.module+el8.6.0+15475+c55337b4.s390x.rpm ruby-devel-2.6.10-109.module+el8.6.0+15475+c55337b4.s390x.rpm ruby-libs-2.6.10-109.module+el8.6.0+15475+c55337b4.s390x.rpm ruby-libs-debuginfo-2.6.10-109.module+el8.6.0+15475+c55337b4.s390x.rpm rubygem-bigdecimal-1.4.1-109.module+el8.6.0+15475+c55337b4.s390x.rpm rubygem-bigdecimal-debuginfo-1.4.1-109.module+el8.6.0+15475+c55337b4.s390x.rpm rubygem-bson-4.5.0-1.module+el8.1.0+3653+beb38eb0.s390x.rpm rubygem-bson-debuginfo-4.5.0-1.module+el8.1.0+3653+beb38eb0.s390x.rpm rubygem-bson-debugsource-4.5.0-1.module+el8.1.0+3653+beb38eb0.s390x.rpm rubygem-io-console-0.4.7-109.module+el8.6.0+15475+c55337b4.s390x.rpm rubygem-io-console-debuginfo-0.4.7-109.module+el8.6.0+15475+c55337b4.s390x.rpm rubygem-json-2.1.0-109.module+el8.6.0+15475+c55337b4.s390x.rpm rubygem-json-debuginfo-2.1.0-109.module+el8.6.0+15475+c55337b4.s390x.rpm rubygem-mysql2-0.5.2-1.module+el8.1.0+3653+beb38eb0.s390x.rpm rubygem-mysql2-debuginfo-0.5.2-1.module+el8.1.0+3653+beb38eb0.s390x.rpm rubygem-mysql2-debugsource-0.5.2-1.module+el8.1.0+3653+beb38eb0.s390x.rpm rubygem-openssl-2.1.2-109.module+el8.6.0+15475+c55337b4.s390x.rpm rubygem-openssl-debuginfo-2.1.2-109.module+el8.6.0+15475+c55337b4.s390x.rpm rubygem-pg-1.1.4-1.module+el8.1.0+3653+beb38eb0.s390x.rpm rubygem-pg-debuginfo-1.1.4-1.module+el8.1.0+3653+beb38eb0.s390x.rpm rubygem-pg-debugsource-1.1.4-1.module+el8.1.0+3653+beb38eb0.s390x.rpm rubygem-psych-3.1.0-109.module+el8.6.0+15475+c55337b4.s390x.rpm rubygem-psych-debuginfo-3.1.0-109.module+el8.6.0+15475+c55337b4.s390x.rpm x86_64: ruby-2.6.10-109.module+el8.6.0+15475+c55337b4.i686.rpm ruby-2.6.10-109.module+el8.6.0+15475+c55337b4.x86_64.rpm ruby-debuginfo-2.6.10-109.module+el8.6.0+15475+c55337b4.i686.rpm ruby-debuginfo-2.6.10-109.module+el8.6.0+15475+c55337b4.x86_64.rpm ruby-debugsource-2.6.10-109.module+el8.6.0+15475+c55337b4.i686.rpm ruby-debugsource-2.6.10-109.module+el8.6.0+15475+c55337b4.x86_64.rpm ruby-devel-2.6.10-109.module+el8.6.0+15475+c55337b4.i686.rpm ruby-devel-2.6.10-109.module+el8.6.0+15475+c55337b4.x86_64.rpm ruby-libs-2.6.10-109.module+el8.6.0+15475+c55337b4.i686.rpm ruby-libs-2.6.10-109.module+el8.6.0+15475+c55337b4.x86_64.rpm ruby-libs-debuginfo-2.6.10-109.module+el8.6.0+15475+c55337b4.i686.rpm ruby-libs-debuginfo-2.6.10-109.module+el8.6.0+15475+c55337b4.x86_64.rpm rubygem-bigdecimal-1.4.1-109.module+el8.6.0+15475+c55337b4.i686.rpm rubygem-bigdecimal-1.4.1-109.module+el8.6.0+15475+c55337b4.x86_64.rpm rubygem-bigdecimal-debuginfo-1.4.1-109.module+el8.6.0+15475+c55337b4.i686.rpm rubygem-bigdecimal-debuginfo-1.4.1-109.module+el8.6.0+15475+c55337b4.x86_64.rpm rubygem-bson-4.5.0-1.module+el8.1.0+3653+beb38eb0.x86_64.rpm rubygem-bson-debuginfo-4.5.0-1.module+el8.1.0+3653+beb38eb0.x86_64.rpm rubygem-bson-debugsource-4.5.0-1.module+el8.1.0+3653+beb38eb0.x86_64.rpm rubygem-io-console-0.4.7-109.module+el8.6.0+15475+c55337b4.i686.rpm rubygem-io-console-0.4.7-109.module+el8.6.0+15475+c55337b4.x86_64.rpm rubygem-io-console-debuginfo-0.4.7-109.module+el8.6.0+15475+c55337b4.i686.rpm rubygem-io-console-debuginfo-0.4.7-109.module+el8.6.0+15475+c55337b4.x86_64.rpm rubygem-json-2.1.0-109.module+el8.6.0+15475+c55337b4.i686.rpm rubygem-json-2.1.0-109.module+el8.6.0+15475+c55337b4.x86_64.rpm rubygem-json-debuginfo-2.1.0-109.module+el8.6.0+15475+c55337b4.i686.rpm rubygem-json-debuginfo-2.1.0-109.module+el8.6.0+15475+c55337b4.x86_64.rpm rubygem-mysql2-0.5.2-1.module+el8.1.0+3653+beb38eb0.x86_64.rpm rubygem-mysql2-debuginfo-0.5.2-1.module+el8.1.0+3653+beb38eb0.x86_64.rpm rubygem-mysql2-debugsource-0.5.2-1.module+el8.1.0+3653+beb38eb0.x86_64.rpm rubygem-openssl-2.1.2-109.module+el8.6.0+15475+c55337b4.i686.rpm rubygem-openssl-2.1.2-109.module+el8.6.0+15475+c55337b4.x86_64.rpm rubygem-openssl-debuginfo-2.1.2-109.module+el8.6.0+15475+c55337b4.i686.rpm rubygem-openssl-debuginfo-2.1.2-109.module+el8.6.0+15475+c55337b4.x86_64.rpm rubygem-pg-1.1.4-1.module+el8.1.0+3653+beb38eb0.x86_64.rpm rubygem-pg-debuginfo-1.1.4-1.module+el8.1.0+3653+beb38eb0.x86_64.rpm rubygem-pg-debugsource-1.1.4-1.module+el8.1.0+3653+beb38eb0.x86_64.rpm rubygem-psych-3.1.0-109.module+el8.6.0+15475+c55337b4.i686.rpm rubygem-psych-3.1.0-109.module+el8.6.0+15475+c55337b4.x86_64.rpm rubygem-psych-debuginfo-3.1.0-109.module+el8.6.0+15475+c55337b4.i686.rpm rubygem-psych-debuginfo-3.1.0-109.module+el8.6.0+15475+c55337b4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-28739 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYr5BdtzjgjWX9erEAQjJNg//aMV8gwcjxgJsrKs17hpExxVLB7OuKWo/ uquO6Ejnmd3MWlJmBSqzQ45OLTwKWatqldQDmNsKJjZkEqF12UijPuAWrjW8Y2tn syEdYispTdnVSf40hSNaNY5vOEcKILZM8LnEIO5krFtx1jvqzJpYrkUOYWdxSuws Ey4as204xnqwOml0yzysLHokvdG56KgADogfVBZqE1L22xMz/O5n2MJZCn/+N34C VjtQjIp1i/PK+NiJcx3p2tZgkDSF/YV1iXwXq05rvIpWeKLXW0C07GafjHmaRa+V 7NR4kRH3ZqHAOSVle9dcgER6pvNKOHjY/0NI9+41/KwEzrq+KvSABwJoieduRDrg wPNP5OP8aASi/5T5ha001mO+viqKU5hYterZ2xbCw5bb11YEkowRW5BjeTC9Jtj3 N0SS1NubY8EZkN02k0/ORpAq8z3VuRrMrQxHmybrBflzndXF97UMSCtlayOKql+A SEu7GvLE6EJ0yuWetTopWDKuXxLS//pb2N9i57jNhw/YoTEvfbmoF4zihL9BssKk So398FfwSZqRx3xmsGRLbd2EjwlqD0mE7f2sKN9NXXEherzb3IGxbs0yA6QUWBUq NaAlNKiDRvr1xNii5fdG9m3pJ/4uR8JxZ9s6hzbWHS25e3BuPJwXw9HWKuCRl6a0 lNjbIQ2UtqQ=MUrM -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 1.71

sources: NVD: CVE-2022-28739 // VULHUB: VHN-420273 // VULMON: CVE-2022-28739 // PACKETSTORM: 168357 // PACKETSTORM: 167421 // PACKETSTORM: 168360 // PACKETSTORM: 169577 // PACKETSTORM: 169552 // PACKETSTORM: 167654 // PACKETSTORM: 167425

AFFECTED PRODUCTS

vendor:	apple	model:	macos	scope:	lt	version:	12.6.1	Trust: 1.0
vendor:	apple	model:	macos	scope:	gte	version:	12.0	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	10.0	Trust: 1.0
vendor:	ruby lang	model:	ruby	scope:	gte	version:	2.7.0	Trust: 1.0
vendor:	apple	model:	macos	scope:	gte	version:	11.0	Trust: 1.0
vendor:	ruby lang	model:	ruby	scope:	lt	version:	3.0.4	Trust: 1.0
vendor:	ruby lang	model:	ruby	scope:	gte	version:	3.1.0	Trust: 1.0
vendor:	ruby lang	model:	ruby	scope:	lt	version:	2.6.10	Trust: 1.0
vendor:	ruby lang	model:	ruby	scope:	lt	version:	3.1.2	Trust: 1.0
vendor:	ruby lang	model:	ruby	scope:	lt	version:	2.7.6	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	11.0	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	9.0	Trust: 1.0
vendor:	apple	model:	macos	scope:	lt	version:	11.7.1	Trust: 1.0
vendor:	ruby lang	model:	ruby	scope:	gte	version:	3.0.0	Trust: 1.0

sources: NVD: CVE-2022-28739

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-28739
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-202204-3369
value:	HIGH
Trust: 0.6
VULHUB:	VHN-420273
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2022-28739
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-28739
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
VULHUB:	VHN-420273
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-28739
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-420273 // VULMON: CVE-2022-28739 // CNNVD: CNNVD-202204-3369 // NVD: CVE-2022-28739

PROBLEMTYPE DATA

problemtype:

CWE-125

Trust: 1.1

sources: VULHUB: VHN-420273 // NVD: CVE-2022-28739

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202204-3369

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202204-3369

PATCH

title:	Ruby Buffer error vulnerability fix	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=193537	Trust: 0.6
title:	Debian CVElist Bug Report Logs: ruby3.0: CVE-2022-28739	url:	https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=4f290816c3711b33b2aedd7bdd7e13d8	Trust: 0.1
title:	Ubuntu Security Notice: USN-5462-1: Ruby vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-5462-1	Trust: 0.1
title:	Ubuntu Security Notice: USN-5462-2: Ruby vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-5462-2	Trust: 0.1
title:	Amazon Linux AMI: ALAS-2022-1638	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2022-1638	Trust: 0.1
title:	Red Hat: Moderate: ruby:2.6 security, bug fix, and enhancement update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20225338 - Security Advisory	Trust: 0.1
title:	Red Hat: Moderate: ruby security, bug fix, and enhancement update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20226585 - Security Advisory	Trust: 0.1
title:	Red Hat: Moderate: ruby:2.7 security, bug fix, and enhancement update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20226447 - Security Advisory	Trust: 0.1
title:	Red Hat: Moderate: ruby:3.0 security, bug fix, and enhancement update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20226450 - Security Advisory	Trust: 0.1
title:	Red Hat: Moderate: rh-ruby27-ruby security, bug fix, and enhancement update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20226856 - Security Advisory	Trust: 0.1
title:	Red Hat: Moderate: ruby:2.5 security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20237025 - Security Advisory	Trust: 0.1
title:	Arch Linux Issues:	url:	https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2022-28739	Trust: 0.1
title:	Amazon Linux 2: ALASRUBY2.6-2023-001	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALASRUBY2.6-2023-001	Trust: 0.1
title:	Amazon Linux 2: ALAS2-2022-1853	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2-2022-1853	Trust: 0.1
title:	Red Hat: Moderate: rh-ruby30-ruby security, bug fix, and enhancement update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20226855 - Security Advisory	Trust: 0.1
title:	Amazon Linux 2: ALASRUBY3.0-2023-002	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALASRUBY3.0-2023-002	Trust: 0.1
title:	Ruby Advisory Database	url:	https://github.com/rubysec/ruby-advisory-db	Trust: 0.1
title:	Ruby Advisory Database	url:	https://github.com/jasnow/585-652-ruby-advisory-db	Trust: 0.1
title:	veracode-container-security-finding-parser	url:	https://github.com/vincent-deng/veracode-container-security-finding-parser	Trust: 0.1

sources: VULMON: CVE-2022-28739 // CNNVD: CNNVD-202204-3369

EXTERNAL IDS

db:	NVD	id:	CVE-2022-28739	Trust: 2.5
db:	HACKERONE	id:	1248108	Trust: 1.8
db:	PACKETSTORM	id:	168360	Trust: 0.8
db:	PACKETSTORM	id:	167425	Trust: 0.8
db:	PACKETSTORM	id:	167654	Trust: 0.8
db:	PACKETSTORM	id:	169577	Trust: 0.8
db:	PACKETSTORM	id:	168691	Trust: 0.7
db:	CS-HELP	id:	SB2022041404	Trust: 0.6
db:	CS-HELP	id:	SB2022060723	Trust: 0.6
db:	CS-HELP	id:	SB2022072010	Trust: 0.6
db:	CS-HELP	id:	SB2022070105	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.4673	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.5061	Trust: 0.6
db:	AUSCERT	id:	ESB-2023.3320	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.2802	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.5301	Trust: 0.6
db:	PACKETSTORM	id:	168445	Trust: 0.6
db:	CNNVD	id:	CNNVD-202204-3369	Trust: 0.6
db:	PACKETSTORM	id:	168357	Trust: 0.2
db:	PACKETSTORM	id:	169552	Trust: 0.2
db:	PACKETSTORM	id:	167421	Trust: 0.2
db:	PACKETSTORM	id:	169553	Trust: 0.1
db:	PACKETSTORM	id:	168692	Trust: 0.1
db:	PACKETSTORM	id:	169566	Trust: 0.1
db:	VULHUB	id:	VHN-420273	Trust: 0.1
db:	ICS CERT	id:	ICSA-24-046-11	Trust: 0.1
db:	VULMON	id:	CVE-2022-28739	Trust: 0.1

sources: VULHUB: VHN-420273 // VULMON: CVE-2022-28739 // PACKETSTORM: 168357 // PACKETSTORM: 167421 // PACKETSTORM: 168360 // PACKETSTORM: 169577 // PACKETSTORM: 169552 // PACKETSTORM: 167654 // PACKETSTORM: 167425 // CNNVD: CNNVD-202204-3369 // NVD: CVE-2022-28739

REFERENCES

url:	http://seclists.org/fulldisclosure/2022/oct/28	Trust: 1.8
url:	http://seclists.org/fulldisclosure/2022/oct/29	Trust: 1.8
url:	http://seclists.org/fulldisclosure/2022/oct/30	Trust: 1.8
url:	http://seclists.org/fulldisclosure/2022/oct/41	Trust: 1.8
url:	http://seclists.org/fulldisclosure/2022/oct/42	Trust: 1.8
url:	https://hackerone.com/reports/1248108	Trust: 1.8
url:	https://security-tracker.debian.org/tracker/cve-2022-28739	Trust: 1.8
url:	https://security.netapp.com/advisory/ntap-20220624-0002/	Trust: 1.8
url:	https://support.apple.com/kb/ht213488	Trust: 1.8
url:	https://support.apple.com/kb/ht213493	Trust: 1.8
url:	https://support.apple.com/kb/ht213494	Trust: 1.8
url:	https://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739/	Trust: 1.8
url:	https://lists.debian.org/debian-lts-announce/2023/06/msg00012.html	Trust: 1.7
url:	https://security.gentoo.org/glsa/202401-27	Trust: 1.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-28739	Trust: 0.7
url:	https://www.auscert.org.au/bulletins/esb-2022.2802	Trust: 0.6
url:	https://packetstormsecurity.com/files/168360/red-hat-security-advisory-2022-6447-01.html	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb20220720108	Trust: 0.6
url:	https://packetstormsecurity.com/files/167425/ubuntu-security-notice-usn-5462-2.html	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022060723	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022041404	Trust: 0.6
url:	https://packetstormsecurity.com/files/168445/red-hat-security-advisory-2022-6585-01.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2023.3320	Trust: 0.6
url:	https://packetstormsecurity.com/files/168691/red-hat-security-advisory-2022-6856-01.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.5061	Trust: 0.6
url:	https://support.apple.com/en-us/ht213494	Trust: 0.6
url:	https://packetstormsecurity.com/files/169577/apple-security-advisory-2022-10-27-8.html	Trust: 0.6
url:	https://packetstormsecurity.com/files/167654/red-hat-security-advisory-2022-5338-01.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.4673	Trust: 0.6
url:	https://vigilance.fr/vulnerability/ruby-buffer-overflow-via-string-to-float-conversion-38079	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.5301	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022070105	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-28739/	Trust: 0.6
url:	https://ubuntu.com/security/notices/usn-5462-1	Trust: 0.3
url:	https://listman.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.3
url:	https://access.redhat.com/security/team/key/	Trust: 0.3
url:	https://access.redhat.com/articles/11258	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-28739	Trust: 0.3
url:	https://access.redhat.com/security/team/contact/	Trust: 0.3
url:	https://access.redhat.com/security/updates/classification/#moderate	Trust: 0.3
url:	https://bugzilla.redhat.com/):	Trust: 0.3
url:	https://ubuntu.com/security/notices/usn-5462-2	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-41817	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2021-41819	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2022-28738	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-41819	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2021-41817	Trust: 0.2
url:	https://support.apple.com/en-us/ht201222.	Trust: 0.2
url:	https://support.apple.com/downloads/	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2022-32862	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2022-42825	Trust: 0.2
url:	https://www.apple.com/support/security/pgp/	Trust: 0.2
url:	https://cwe.mitre.org/data/definitions/125.html	Trust: 0.1
url:	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009956	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-24-046-11	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-28738	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:6450	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/ruby3.0/3.0.2-7ubuntu2.1	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/ruby2.7/2.7.4-1ubuntu3.2	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/ruby2.5/2.5.1-1ubuntu1.12	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/ruby2.7/2.7.0-5ubuntu1.7	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:6447	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-42798	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-37434	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-32944	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-42800	Trust: 0.1
url:	https://support.apple.com/ht213493.	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-32941	Trust: 0.1
url:	https://support.apple.com/ht213494.	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:5338	Trust: 0.1

CREDITS

Red Hat

Trust: 0.3

sources: PACKETSTORM: 168357 // PACKETSTORM: 168360 // PACKETSTORM: 167654

SOURCES

db:	VULHUB	id:	VHN-420273
db:	VULMON	id:	CVE-2022-28739
db:	PACKETSTORM	id:	168357
db:	PACKETSTORM	id:	167421
db:	PACKETSTORM	id:	168360
db:	PACKETSTORM	id:	169577
db:	PACKETSTORM	id:	169552
db:	PACKETSTORM	id:	167654
db:	PACKETSTORM	id:	167425
db:	CNNVD	id:	CNNVD-202204-3369
db:	NVD	id:	CVE-2022-28739

LAST UPDATE DATE

2025-04-01T20:39:16.354000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-420273	date:	2022-11-08T00:00:00
db:	VULMON	id:	CVE-2022-28739	date:	2024-01-24T00:00:00
db:	CNNVD	id:	CNNVD-202204-3369	date:	2023-06-13T00:00:00
db:	NVD	id:	CVE-2022-28739	date:	2024-11-21T06:57:50.467

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-420273	date:	2022-05-09T00:00:00
db:	VULMON	id:	CVE-2022-28739	date:	2022-05-09T00:00:00
db:	PACKETSTORM	id:	168357	date:	2022-09-13T15:43:25
db:	PACKETSTORM	id:	167421	date:	2022-06-07T15:13:54
db:	PACKETSTORM	id:	168360	date:	2022-09-13T15:44:10
db:	PACKETSTORM	id:	169577	date:	2022-10-31T14:43:13
db:	PACKETSTORM	id:	169552	date:	2022-10-31T14:19:21
db:	PACKETSTORM	id:	167654	date:	2022-07-01T14:58:20
db:	PACKETSTORM	id:	167425	date:	2022-06-07T15:15:31
db:	CNNVD	id:	CNNVD-202204-3369	date:	2022-04-14T00:00:00
db:	NVD	id:	CVE-2022-28739	date:	2022-05-09T18:15:08.540