| Type |
| - |
Unknown |
| + |
Arbitrary code execution |
|
| Description |
| + |
double-free in Regexp compilation |
|
| References |
| + |
https://www.ruby-lang.org/en/news/2022/04/12/double-free-in-regexp-compilation-cve-2022-28738/ |
| + |
https://hackerone.com/reports/1220911 |
|
| Notes |
| + |
compiling a Regexp from untrusted input is considered unsafe in general but this case is still considered a vulnerability. https://hackerone.com/piao?type=user shows the severity as high, the linked reference is not yet public, the ruby-lang post does not state a severity, why nvd assumes this to be critical is unclear as they seem to assume it to be remotely exploitable which suggests the use in a webapp but that should be a cve for the webapp instead |
|