{"id":"CVE-2020-10933","details":"An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter.","aliases":["BIT-ruby-2020-10933","BIT-ruby-min-2020-10933"],"modified":"2026-05-05T12:46:14.138614Z","published":"2020-05-04T15:15:13.963Z","related":["ALSA-2021:2587","ALSA-2021:2588","SUSE-SU-2020:0995-1","openSUSE-SU-2020:0586-1","openSUSE-SU-2024:11310-1","openSUSE-SU-2024:11311-1","openSUSE-SU-2024:11786-1","openSUSE-SU-2024:12712-1","openSUSE-SU-2024:13623-1","openSUSE-SU-2025:14621-1","openSUSE-SU-2025:15819-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"10.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"31"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*"}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F4TNVTT66VPRMX5UZYSDGSVRXKKDDDU5/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20200625-0001/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4721"},{"type":"EVIDENCE","url":"https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ruby/ruby","events":[{"introduced":"4e0a512972cdcbfcd5279f1a2a81ba342ed75b6e"},{"last_affected":"1c39daae0f9e1c6d34b53c6a214489fe76eaf38b"},{"introduced":"c1af7b1e1d408f9796a5f46c9ed36bc5adea4aa2"},{"last_affected":"37c2cd3fa47c709570e22ec4dac723ca211f423a"},{"introduced":"0"},{"last_affected":"647ee6f091eafcce70ffb75ddf7e121e192ab217"}],"database_specific":{"extracted_events":[{"introduced":"2.5.0"},{"last_affected":"2.5.7"},{"introduced":"2.6.0"},{"last_affected":"2.6.5"},{"introduced":"0"},{"last_affected":"2.7.0"}],"source":"CPE_FIELD","cpe":["cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.7.0:*:*:*:*:*:*:*"]}}],"versions":["v1_0_r2","v2_5_7","v2_6_5","v2_7_0","v2_7_0_preview1","v2_7_0_preview2","v2_7_0_preview3","v2_7_0_rc1","v2_7_0_rc2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-10933.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}