{"api_version":"1","generated_at":"2026-04-22T21:27:01+00:00","cve":"CVE-2020-10933","urls":{"html":"https://cve.report/CVE-2020-10933","api":"https://cve.report/api/cve/CVE-2020-10933.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-10933","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-10933"},"summary":{"title":"CVE-2020-10933","description":"An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2020-05-04 15:15:00","updated_at":"2023-11-07 03:14:00"},"problem_types":["CWE-908"],"metrics":[],"references":[{"url":"https://security.netapp.com/advisory/ntap-20200625-0001/","name":"https://security.netapp.com/advisory/ntap-20200625-0001/","refsource":"CONFIRM","tags":[],"title":"CVE-2020-10933 Ruby Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.debian.org/security/2020/dsa-4721","name":"DSA-4721","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-4721-1 ruby2.5","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/","name":"https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/","refsource":"CONFIRM","tags":["Exploit","Vendor Advisory"],"title":"CVE-2020-10933: Heap exposure vulnerability in the socket library","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F4TNVTT66VPRMX5UZYSDGSVRXKKDDDU5/","name":"FEDORA-2020-a95706b117","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 31 Update: ruby-2.6.6-125.fc31 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F4TNVTT66VPRMX5UZYSDGSVRXKKDDDU5/","name":"FEDORA-2020-a95706b117","refsource":"","tags":[],"title":"[SECURITY] Fedora 31 Update: ruby-2.6.6-125.fc31 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-10933","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10933","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"10933","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"10933","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"31","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"10933","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"10933","vulnerable":"0","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"10933","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ruby-lang","cpe5":"ruby","cpe6":"2.7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"10933","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ruby-lang","cpe5":"ruby","cpe6":"2.7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"10933","vulnerable":"1","versionEndIncluding":"2.5.7","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ruby-lang","cpe5":"ruby","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"10933","vulnerable":"1","versionEndIncluding":"2.6.5","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ruby-lang","cpe5":"ruby","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-10933","qid":"159290","title":"Oracle Enterprise Linux Security Update for ruby:2.5 (ELSA-2021-2587)"},{"cve":"CVE-2020-10933","qid":"159298","title":"Oracle Enterprise Linux Security Update for ruby:2.6 (ELSA-2021-2588)"},{"cve":"CVE-2020-10933","qid":"198302","title":"Ubuntu Security Notification for Ruby2.3, Ruby2.5, Ruby2.7 Vulnerabilities (USN-4882-1)"},{"cve":"CVE-2020-10933","qid":"239350","title":"Red Hat Update for rh-ruby25-ruby (RHSA-2021:2104)"},{"cve":"CVE-2020-10933","qid":"239368","title":"Red Hat Update for rh-ruby26-ruby (RHSA-2021:2230)"},{"cve":"CVE-2020-10933","qid":"239461","title":"Red Hat Update for ruby:2.6 (RHSA-2021:2588)"},{"cve":"CVE-2020-10933","qid":"239462","title":"Red Hat Update for ruby:2.5 (RHSA-2021:2587)"},{"cve":"CVE-2020-10933","qid":"240156","title":"Red Hat Update for ruby:2.6 (RHSA-2022:0582)"},{"cve":"CVE-2020-10933","qid":"296073","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 24.75.2 Missing (CPUJUL2020)"},{"cve":"CVE-2020-10933","qid":"356305","title":"Amazon Linux Security Advisory for ruby : ALASRUBY2.6-2023-007"},{"cve":"CVE-2020-10933","qid":"500613","title":"Alpine Linux Security Update for ruby"},{"cve":"CVE-2020-10933","qid":"504373","title":"Alpine Linux Security Update for ruby"},{"cve":"CVE-2020-10933","qid":"900069","title":"CBL-Mariner Linux Security Update for ruby 2.6.3"},{"cve":"CVE-2020-10933","qid":"903609","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for ruby (2673)"},{"cve":"CVE-2020-10933","qid":"940189","title":"AlmaLinux Security Update for ruby:2.6 (ALSA-2021:2588)"},{"cve":"CVE-2020-10933","qid":"940401","title":"AlmaLinux Security Update for ruby:2.5 (ALSA-2021:2587)"},{"cve":"CVE-2020-10933","qid":"960022","title":"Rocky Linux Security Update for ruby:2.6 (RLSA-2021:2588)"},{"cve":"CVE-2020-10933","qid":"960064","title":"Rocky Linux Security Update for ruby:2.5 (RLSA-2021:2587)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2020-10933","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"refsource":"CONFIRM","name":"https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/","url":"https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/"},{"refsource":"FEDORA","name":"FEDORA-2020-a95706b117","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F4TNVTT66VPRMX5UZYSDGSVRXKKDDDU5/"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20200625-0001/","url":"https://security.netapp.com/advisory/ntap-20200625-0001/"},{"refsource":"DEBIAN","name":"DSA-4721","url":"https://www.debian.org/security/2020/dsa-4721"}]}},"nvd":{"publishedDate":"2020-05-04 15:15:00","lastModifiedDate":"2023-11-07 03:14:00","problem_types":["CWE-908"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*","versionStartIncluding":"2.5.0","versionEndIncluding":"2.5.7","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.0","versionEndIncluding":"2.6.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ruby-lang:ruby:2.7.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"10933","Ordinal":"171472","Title":"CVE-2020-10933","CVE":"CVE-2020-10933","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"10933","Ordinal":"1","NoteData":"An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"10933","Ordinal":"2","NoteData":"2020-05-04","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"10933","Ordinal":"3","NoteData":"2020-07-08","Type":"Other","Title":"Modified"}]}}}