Corrective releases of the programming language Ruby 3.1.2, 3.0.4, 2.7.6, 2.6.10 have been formed, in which two vulnerabilities have been eliminated:
- CVE-2022-28738 - Double-free memory (double-free) in regular expression compilation code that occurs when passing a specially crafted string when creating a Regexp object. The vulnerability can be exploited if unvalidated external data is used in the Regexp object.
- CVE-2022-28739 - Buffer overflow in string to float conversion code. The vulnerability could potentially be exploited to gain access to the contents of memory when handling unverified external data in methods such as Kernel#Float and String#to_f.
Source: opennet.ru