Double Free Affecting ruby package, versions <3.1.2-r0


Severity

Recommended
0.0
critical
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
2.74% (85th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-ALPINE320-RUBY-7011297
  • published23 May 2024
  • disclosed9 May 2022

Introduced: 9 May 2022

CVE-2022-28738  (opens in a new tab)
CWE-415  (opens in a new tab)

How to fix?

Upgrade Alpine:3.20 ruby to version 3.1.2-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream ruby package and not the ruby package as distributed by Alpine. See How to fix? for Alpine:3.20 relevant fixed versions and status.

A double free was found in the Regexp compiler in Ruby 3.x before 3.0.4 and 3.1.x before 3.1.2. If a victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to unexpected memory locations.

CVSS Base Scores

version 3.1