Home/CVE/A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3
CVE
CVE-2024-27280
A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3
A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version.
however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2.
CRITICAL · CVSS 9.8
EPSS 0.08616
Act now
- EPSS percentile: top 7% of all CVEs by exploitation likelihood
- Public exploit or PoC is available
- SSVC automatable: yes - attacks can be scripted at scale
- CVSS base score ≥ 7.0
Sigma rules0
YARA rules0
Look this up elsewhere - one-click external pivots
▸
How to read a CVE - triage first, then detect and patch
This page is every public fact about CVE-2024-27280, cross-linked. Its job is to answer one question fast - does this need my attention now? - and then hand you the two things you do about it. Here is how an analyst reads it.
Triage: should I act now? Four signals, and they are not interchangeable:
CVSSseverity - how bad it is IF exploited, 0-10. A high CVSS alone is not urgency; a flaw can be a perfect 10 and never actually be attacked.
EPSSprobability - a model’s estimate of the chance it is exploited in the next 30 days, 0-1. This is the “will it actually happen” signal.
CISA KEVconfirmed - it is being exploited in the wild right now. The strongest signal on the page; KEV beats any score.
Weaponisedavailability - public exploits / PoCs, and especially Metasploit modules rated Excellent / Great. Reliable, packaged exploit code means low-skill attackers can use it today.
How they combine: KEV, or a dependable Metasploit module, means patch now regardless of CVSS. High CVSS + low EPSS + no exploit is real but not an emergency - schedule it. Low CVSS but KEV-listed still gets patched now. The verdict above already weighed these for you; this is how it got there.
Then what - two workflows:
Detectwhen you cannot patch today, follow this CVE to the ATT&CK techniques it enables, then Build a SIEM detection (the green button) - author a rule, test it in Atomic, deploy it. That buys visibility while the patch waits.
PatchAffected products / packages tell you if you are exposed; Fixed versions by distribution and Vendor advisories give the exact version that closes it.
Reading order for the panels below: verdict + badges, then Public exploits / Metasploit (is it weaponised), then ATT&CK techniques + Sigma / IDS rules (can I detect it), then Affected products / packages + Fixed versions (am I exposed, what patches it), then Threat actors / IOCs (who uses it), then Scoring & timeline / references (the evidence).
◆
ATT&CK techniques
1Techniques this CVE enables - linked via CWECAPECATT&CK. High◆ = named directly in ATT&CK or Nuclei templates.
▤ Build a SIEM detection for these techniques▤
CAPEC attack patterns
12Attack patterns this CVE enables - the bridge from weakness to ATT&CK technique.
CAPEC-CAPEC-10 · Buffer Overflow via Environment Variables CAPEC-CAPEC-100 · Overflow Buffers CAPEC-CAPEC-14 · Client-side Injection-induced Buffer Overflow CAPEC-CAPEC-24 · Filter Failure through Buffer Overflow CAPEC-CAPEC-42 · MIME Conversion CAPEC-CAPEC-44 · Overflow Binary Resource File CAPEC-CAPEC-45 · Buffer Overflow via Symbolic Links CAPEC-CAPEC-46 · Overflow Variables and Tags CAPEC-CAPEC-47 · Buffer Overflow via Parameter Expansion CAPEC-CAPEC-67 · String Format Overflow in syslog() CAPEC-CAPEC-8 · Buffer Overflow in an API Call CAPEC-CAPEC-9 · Buffer Overflow in Local Command-Line Utilities
⬡
Weakness Classification
▤
Affected Packages
9Language-ecosystem packages (from OSV) tied to this CVE, with the version that fixes it - the dependency-level detail NVD doesn’t carry.
Debian:11
ruby2.7
fixed in 2.7.4-1+deb11u2
Debian:12
ruby3.1
fixed in 3.1.2-7+deb12u1
RubyGems
stringio
CRITICAL
fixed in 3.0.1.1
Ubuntu:20.04:LTS
ruby2.7
fixed in 2.7.0-5ubuntu1.14
Ubuntu:22.04:LTS
ruby3.0
fixed in 3.0.2-7ubuntu2.7
Ubuntu:23.10
ruby3.1
fixed in 3.1.2-7ubuntu3.3
Ubuntu:24.04:LTS
ruby3.2
fixed in 3.2.3-1build3
Ubuntu:Pro:16.04:LTS
ruby2.3
Ubuntu:Pro:18.04:LTS
ruby2.5
⚠
Public Exploits & PoCs
1These PoC and exploit links come from public sources and are not verified to be safe or functional. Review the code before running anything, and treat unverified entries as untrusted.
📦
Fixed versions by distribution
80The package version that resolves this CVE on each Linux distribution, from the vendor’s published security data. fixed in shows a patched version exists; open means the package is listed as affected with no fix yet.
alpine edgeruby fixed in 3.3.1-r0
alpine v3.19ruby fixed in 3.2.4-r0
alpine v3.20ruby fixed in 3.3.1-r0
oracle allruby open
oracle allruby-bundled-gems fixed in 0:3.3.1-2.module+el8.10.0+90349+dd8a48dc
oracle allruby-default-gems fixed in 0:3.0.7-143.module+el8.10.0+90343+d5e92a1d
oracle allruby-devel open
oracle allruby-irb fixed in 0:2.5.9-112.module+el8.10.0+90367+ae9e8511
oracle allruby-libs open
oracle allrubygem-abrt fixed in 0:0.3.0-4.module+el8.10.0+90367+ae9e8511
oracle allrubygem-bigdecimal open
oracle allrubygem-bson open
oracle allrubygem-bundler open
oracle allrubygem-did_you_mean fixed in 0:1.2.0-112.module+el8.10.0+90367+ae9e8511
oracle allrubygem-io-console open
oracle allrubygem-irb open
oracle allrubygem-json fixed in 0:2.1.0-112.module+el8.10.0+90367+ae9e8511
oracle allrubygem-minitest fixed in 0:5.10.3-112.module+el8.10.0+90367+ae9e8511
oracle allrubygem-mongo fixed in 0:2.5.1-2.module+el8.9.0+90042+a65659a6
oracle allrubygem-mysql2 fixed in 0:0.4.10-4.module+el8.9.0+90042+a65659a6
oracle allrubygem-net-telnet fixed in 0:0.1.1-112.module+el8.10.0+90367+ae9e8511
oracle allrubygem-openssl open
oracle allrubygem-pg open
oracle allrubygem-power_assert open
oracle allrubygem-psych fixed in 0:3.0.2-112.module+el8.10.0+90367+ae9e8511
oracle allrubygem-racc open
oracle allrubygem-rake fixed in 0:12.3.3-112.module+el8.10.0+90367+ae9e8511
oracle allrubygem-rbs open
oracle allrubygem-rdoc fixed in 0:6.0.1.1-112.module+el8.10.0+90367+ae9e8511
oracle allrubygem-rexml fixed in 0:3.2.5-143.module+el8.10.0+90343+d5e92a1d
oracle allrubygem-rss fixed in 0:0.2.9-143.module+el8.10.0+90343+d5e92a1d
oracle allrubygem-test-unit fixed in 0:3.2.7-112.module+el8.10.0+90367+ae9e8511
oracle allrubygem-typeprof open
oracle allrubygem-xmlrpc open
oracle allrubygems fixed in 0:2.7.6.3-112.module+el8.10.0+90367+ae9e8511
oracle allrubygems-devel open
rhel 8ruby fixed in 0:2.5.9-112.module+el8.10.0+22021+135c76a8
rhel 8ruby-bundled-gems open
rhel 8ruby-default-gems fixed in 0:3.3.1-2.module+el8.10.0+21860+47fbda2a
rhel 8ruby-devel open
rhel 8ruby-irb open
rhel 8ruby-libs open
rhel 8rubygem-abrt open
rhel 8rubygem-bigdecimal fixed in 0:1.3.4-112.module+el8.10.0+22021+135c76a8
rhel 8rubygem-bson open
rhel 8rubygem-bundler fixed in 0:1.16.1-4.module+el8.10.0+22021+135c76a8
rhel 8rubygem-did_you_mean open
rhel 8rubygem-io-console open
rhel 8rubygem-irb open
rhel 8rubygem-json fixed in 0:2.1.0-112.module+el8.10.0+22021+135c76a8
rhel 8rubygem-minitest fixed in 0:5.10.3-112.module+el8.10.0+22021+135c76a8
rhel 8rubygem-mongo open
rhel 8rubygem-mysql2 fixed in 0:0.4.10-4.module+el8.9.0+19193+435404ae
rhel 8rubygem-net-telnet fixed in 0:0.1.1-112.module+el8.10.0+22021+135c76a8
rhel 8rubygem-openssl open
rhel 8rubygem-pg fixed in 0:1.0.0-3.module+el8.9.0+19193+435404ae
rhel 8rubygem-power_assert fixed in 0:1.1.1-112.module+el8.10.0+22021+135c76a8
rhel 8rubygem-psych fixed in 0:3.0.2-112.module+el8.10.0+22021+135c76a8
rhel 8rubygem-racc fixed in 0:1.7.3-2.module+el8.10.0+21860+47fbda2a
rhel 8rubygem-rake open
rhel 8rubygem-rbs open
rhel 8rubygem-rdoc open
rhel 8rubygem-rexml fixed in 0:3.2.6-2.module+el8.10.0+21860+47fbda2a
rhel 8rubygem-rss open
rhel 8rubygem-test-unit fixed in 0:3.2.7-112.module+el8.10.0+22021+135c76a8
rhel 8rubygem-typeprof open
rhel 8rubygem-xmlrpc open
rhel 8rubygems fixed in 0:2.7.6.3-112.module+el8.10.0+22021+135c76a8
rhel 8rubygems-devel open
rhel 9ruby fixed in 0:3.0.7-162.el9_4
rhel 9ruby-bundled-gems open
rhel 9ruby-default-gems fixed in 0:3.0.7-162.el9_4
rhel 9ruby-devel fixed in 0:3.0.7-162.el9_4
rhel 9ruby-libs open
rhel 9rubygem-bigdecimal open
rhel 9rubygem-bundler fixed in 0:2.2.33-162.el9_4
rhel 9rubygem-io-console fixed in 0:0.5.7-162.el9_4
rhel 9rubygem-irb fixed in 0:1.3.5-162.el9_4
rhel 9rubygem-json open
rhel 9rubygem-minitest open
▣
Scoring & Timeline
9.8
CRITICAL · CVSS v3.1 · [email protected]
Attack Vector
Network
Adjacent
Local
Physical
Attack Complexity
Low
High
Privileges Required
None
Low
High
User Interaction
None
Required
Scope
Unchanged
Changed
Confidentiality
None
Low
High
Integrity
None
Low
High
Availability
None
Low
High
SSVC triage · cisa-vulnrichment
Exploitation
none
Automatable
yes
Technical impact
total
SSVC asks the questions that actually drive patch urgency: is it being exploited, can attacks be automated, and how total is the impact.
⚑
Vendor Advisories
13🔗
References & Sources
9Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.