CVE-2023-27531: 
Ruby vulnerability analysis and mitigation

A deserialization of untrusted data vulnerability was discovered in the Kredis JSON deserialization code, identified as CVE-2023-27531. The vulnerability affects all versions of Kredis prior to version 1.3.0.1, which was released in March 2023. Any applications using Kredis with JSON functionality are potentially vulnerable (Ruby Rails).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) with a CVSS v3.1 Base Score of 5.3 (MEDIUM). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U) with low confidentiality impact (C:L) and no impact on integrity (I:N) or availability (A:N) (NVD).

When exploited, the vulnerability could allow carefully crafted JSON data processed by Kredis to result in deserialization of untrusted data, potentially leading to deserialization of unexpected objects in the system (Ruby Rails).

The vulnerability has been fixed in Kredis version 1.3.0.1. There are no feasible workarounds for this issue, and users are strongly advised to upgrade to the fixed version. Patches have been provided for supported release series in git-am format for users unable to upgrade immediately (Ruby Rails).