CVE-2022-28739

Summary

CVE	CVE-2022-28739
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-05-09 18:15:00 UTC
Updated	2024-01-24 05:15:00 UTC
Description	There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f.

Risk And Classification

Problem Types: CWE-125

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Apple	Macos	All	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	11.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Application	Ruby-lang	Ruby	All	All	All	All

References

Reference	Source	Link	Tags
Full Disclosure: APPLE-SA-2022-10-27-5 Additional information for APPLE-SA-2022-10-24-2 macOS Ventura 13	FULLDISC	seclists.org
Full Disclosure: APPLE-SA-2022-10-24-2 macOS Ventura 13	MISC	seclists.org
[SECURITY] [DLA 3450-1] ruby2.5 security update	MISC	lists.debian.org
Ruby: Multiple vulnerabilities (GLSA 202401-27) — Gentoo security		security.gentoo.org
About the security content of macOS Ventura 13 - Apple Support	CONFIRM	support.apple.com
Full Disclosure: APPLE-SA-2022-10-27-6 Additional information for APPLE-SA-2022-10-24-3 macOS Monterey 12.6.1	MISC	seclists.org
Full Disclosure: APPLE-SA-2022-10-24-3 macOS Monterey 12.6.1	MISC	seclists.org
Full Disclosure: APPLE-SA-2022-10-24-4 macOS Big Sur 11.7.1	MISC	seclists.org
About the security content of macOS Big Sur 11.7.1 - Apple Support	CONFIRM	support.apple.com
About the security content of macOS Monterey 12.6.1 - Apple Support	CONFIRM	support.apple.com
CVE-2022-28739: Buffer overrun in String-to-Float conversion	CONFIRM	www.ruby-lang.org
CVE-2022-28739	MISC	security-tracker.debian.org
May 2022 Ruby Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
HackerOne	MISC	hackerone.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

159957 Oracle Enterprise Linux Security Update for ruby:2.6 (ELSA-2022-5338)
160091 Oracle Enterprise Linux Security Update for ruby:2.7 (ELSA-2022-6447)
160095 Oracle Enterprise Linux Security Update for ruby:3.0 (ELSA-2022-6450)
160103 Oracle Enterprise Linux Security Update for ruby (ELSA-2022-6585)
160403 Oracle Enterprise Linux Security Update for ruby:2.5 (ELSA-2023-12064)
161185 Oracle Enterprise Linux Security Update for ruby:2.5 (ELSA-2023-7025)
181836 Debian Security Update for ruby2.5 (DLA 3450-1)
198817 Ubuntu Security Notification for Ruby Vulnerabilities (USN-5462-1)
240516 Red Hat Update for ruby:2.6 security (RHSA-2022:5338)
240659 Red Hat Update for ruby:3.0 security (RHSA-2022:6450)
240661 Red Hat Update for ruby:2.7 security (RHSA-2022:6447)
240681 Red Hat Update for ruby security (RHSA-2022:6585)
240720 Red Hat Update for rh-ruby27-ruby security (RHSA-2022:6856)
240723 Red Hat Update for rh-ruby30-ruby security (RHSA-2022:6855)
242449 Red Hat Update for ruby:2.5 (RHSA-2023:7025)
282660 Fedora Security Update for ruby (FEDORA-2022-82a9edac27)
282661 Fedora Security Update for ruby (FEDORA-2022-8cf0124add)
296083 Oracle Solaris 11.4 Support Repository Update (SRU) 49.126.2 Missing (CPUOCT2022)
354072 Amazon Linux Security Advisory for ruby20 : ALAS-2022-1638
354079 Amazon Linux Security Advisory for ruby : ALAS2-2022-1853
356174 Amazon Linux Security Advisory for ruby : ALASRUBY3.0-2023-002
356262 Amazon Linux Security Advisory for ruby : ALASRUBY2.6-2023-001
356495 Amazon Linux Security Advisory for ruby : ALAS2RUBY3.0-2023-002
377692 Apple macOS Big Sur 11.7.1 Not Installed (HT213493)
377693 Apple macOS Monterey 12.6.1 Not Installed (HT213494)
500618 Alpine Linux Security Update for ruby
502025 Alpine Linux Security Update for ruby
502236 Alpine Linux Security Update for ruby
504378 Alpine Linux Security Update for ruby
671864 EulerOS Security Update for ruby (EulerOS-SA-2022-1915)
671873 EulerOS Security Update for ruby (EulerOS-SA-2022-1951)
671927 EulerOS Security Update for ruby (EulerOS-SA-2022-2010)
671951 EulerOS Security Update for ruby (EulerOS-SA-2022-1980)
672047 EulerOS Security Update for ruby (EulerOS-SA-2022-2248)
672081 EulerOS Security Update for ruby (EulerOS-SA-2022-2261)
672226 EulerOS Security Update for ruby (EulerOS-SA-2022-2634)
690839 Free Berkeley Software Distribution (FreeBSD) Security Update for ruby (06ed6a49-bad4-11ec-9cfe-0800270512f4)
710844 Gentoo Linux Ruby Multiple Vulnerabilities (GLSA 202401-27)
752103 SUSE Enterprise Linux Security Update for ruby2.5 (SUSE-SU-2022:1512-1)
901583 Common Base Linux Mariner (CBL-Mariner) Security Update for ruby (9746)
902233 Common Base Linux Mariner (CBL-Mariner) Security Update for ruby (9746-1)
940657 AlmaLinux Security Update for ruby:2.7 (ALSA-2022:6447)
940691 AlmaLinux Security Update for ruby (ALSA-2022:6585)
940849 AlmaLinux Security Update for ruby:3.0 (ALSA-2022:6450)
941437 AlmaLinux Security Update for ruby:2.5 (ALSA-2023:7025)
960416 Rocky Linux Security Update for ruby:2.6 (RLSA-2022:5338)
960532 Rocky Linux Security Update for ruby (RLSA-2022:6585)
960588 Rocky Linux Security Update for ruby:2.7 (RLSA-2022:6447)