SB2020040188 - Information disclosure in ruby (Alpine package)
Published: April 1, 2020
Security Bulletin ID
SB2020040188
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Information disclosure (CVE-ID: CVE-2020-10933)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to BasicSocket#read_nonblock method outputs previous value of the heap instead of copying the requested data. A remote attacker can gain access to sensitive information on the system.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=9187c18b5ec330fb9b5af90d85672f02af3a15d5
- https://git.alpinelinux.org/aports/commit/?id=2831552db46aa5611d731c169b45810977d7b96a
- https://git.alpinelinux.org/aports/commit/?id=9d8c04b05e9bd2d754e1d7fafde8d286b14751d9
- https://git.alpinelinux.org/aports/commit/?id=d64618fe60af05a9e866c32d4bff6db761f2ea2b
- https://git.alpinelinux.org/aports/commit/?id=4badd65f51c8099060803ef81deb2857141a06cd
- https://git.alpinelinux.org/aports/commit/?id=dd7e83db96d337eb585d966437df734cbd94e240
- https://git.alpinelinux.org/aports/commit/?id=c5a61063a94ce45a12d02048c53a4c3f20986e01
- https://git.alpinelinux.org/aports/commit/?id=5499c35bb7f43cf09d18553d19e6255eed357c9f
- https://git.alpinelinux.org/aports/commit/?id=459989946e59b882d2d6ab458739b91fe6237e8c