CVE-2024-27281: 
Ruby vulnerability analysis and mitigation

A remote code execution (RCE) vulnerability was discovered in RDoc versions 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. The vulnerability was assigned identifier CVE-2024-27281 and was publicly disclosed on March 21, 2024. The issue affects the parsing of .rdoc_options configuration files and documentation cache loading functionality (Ruby Lang).

The vulnerability stems from unrestricted class restoration when parsing .rdoc_options as YAML files and when loading documentation cache. This lack of restrictions on classes that can be restored enables object injection attacks that can lead to remote code execution. The vulnerability has been assigned a CVSS v3.1 base score of 4.5 (Medium) with vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L (NVD).

If successfully exploited, this vulnerability could allow attackers to execute arbitrary code through crafted .rdoc_options files or manipulated documentation cache. This affects the confidentiality, integrity, and availability of systems using vulnerable RDoc versions (Ruby Lang).

Users are recommended to update to fixed versions: RDoc 6.6.3.1 for the latest version, 6.3.4.1 for Ruby 3.0 users, 6.4.1.1 for Ruby 3.1 users, and 6.5.1.1 for Ruby 3.2 users. The update can be performed using 'gem update rdoc' or by adding 'gem "rdoc", ">= 6.6.3.1"' to the Gemfile for bundler users. Note that versions 6.3.4, 6.4.1, 6.5.1, and 6.6.3 contain an incorrect fix and should be avoided (Ruby Lang).