CVE-2022-28738 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Unknown
Remote	Unknown
Type	Arbitrary code execution
Description	double-free in Regexp compilation

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2757	ruby	3.0.3-1	3.0.4-1	High	Fixed

References
https://www.ruby-lang.org/en/news/2022/04/12/double-free-in-regexp-compilation-cve-2022-28738/ https://hackerone.com/reports/1220911

Notes
compiling a Regexp from untrusted input is considered unsafe in general but this case is still considered a vulnerability. https://hackerone.com/piao?type=user shows the severity as high, the linked reference is not yet public, the ruby-lang post does not state a severity, why nvd assumes this to be critical is unclear as they seem to assume it to be remotely exploitable which suggests the use in a webapp but that should be a cve for the webapp instead

Notes

compiling a Regexp from untrusted input is considered unsafe in general but this case is still considered a vulnerability. https://hackerone.com/piao?type=user shows the severity as high, the linked reference is not yet public, the ruby-lang post does not state a severity, why nvd assumes this to be critical is unclear as they seem to assume it to be remotely exploitable which suggests the use in a webapp but that should be a cve for the webapp instead