5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.006 Low
EPSS
Percentile
79.5%
A heap exposure vulnerability was discovered in the socket library. This
vulnerability has been assigned the CVE identifier CVE-2020-10933. We
strongly recommend upgrading Ruby.
When BasicSocket#recv_nonblock
and BasicSocket#read_nonblock
are invoked with
size and buffer arguments, they initially resize the buffer to the specified
size. In cases where the operation would block, they return without copying
any data. Thus, the buffer string will now include arbitrary data from the
heap. This may expose possibly sensitive data from the interpreter.
This issue is exploitable only on Linux. This issue had been since Ruby
2.5.0; 2.4 series is not vulnerable.
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.006 Low
EPSS
Percentile
79.5%