CVE-2020-10933

An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter.

Weakness

The product uses or accesses a resource that has not been initialized.

Affected Software

Name	Vendor	Start Version	End Version
Ruby	Ruby-lang	2.5.0 (including)	2.5.7 (including)
Ruby	Ruby-lang	2.6.0 (including)	2.6.5 (including)
Ruby	Ruby-lang	2.7.0 (including)	2.7.0 (including)
Red Hat Enterprise Linux 8	RedHat	ruby:2.5-8040020200923213910.522a0ee4	*
Red Hat Enterprise Linux 8	RedHat	ruby:2.6-8040020210430142949.522a0ee4	*
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions	RedHat	ruby:2.6-8010020220201152941.c27ad7f8	*
Red Hat Enterprise Linux 8.2 Extended Update Support	RedHat	ruby:2.6-8020020220201131207.4cda2c84	*
Red Hat Software Collections for Red Hat Enterprise Linux 7	RedHat	rh-ruby25-ruby-0:2.5.9-9.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7	RedHat	rh-ruby26-ruby-0:2.6.7-119.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS	RedHat	rh-ruby25-ruby-0:2.5.9-9.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS	RedHat	rh-ruby25-ruby-0:2.5.9-9.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS	RedHat	rh-ruby26-ruby-0:2.6.7-119.el7	*
Ruby1.9.1	Ubuntu	trusty	*
Ruby2.0	Ubuntu	trusty	*
Ruby2.5	Ubuntu	bionic	*
Ruby2.5	Ubuntu	eoan	*
Ruby2.5	Ubuntu	esm-infra/bionic	*
Ruby2.7	Ubuntu	esm-infra/focal	*
Ruby2.7	Ubuntu	focal	*
Ruby2.7	Ubuntu	upstream	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2020-10933
CWE	https://cwe.mitre.org/data/definitions/908.html

Use of Uninitialized Resource

Weakness

Affected Software

Potential Mitigations

References