Added CVE-2024-27281 for the rdoc gem (issue #769).

gems/rdoc/CVE-2024-27281.yml

@@ -0,0 +1,34 @@
+---
+gem: rdoc
+cve: 2024-27281
+url: https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/
+title: RCE vulnerability with .rdoc_options in RDoc
+date: 2024-03-21
+description: |
+  An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby
+  3.x through 3.3.0.
+
+  When parsing `.rdoc_options` (used for configuration in RDoc) as a YAML file,
+  object injection and resultant remote code execution are possible because
+  there are no restrictions on the classes that can be restored.
+
+  When loading the documentation cache, object injection and resultant remote
+  code execution are also possible if there were a crafted cache.
+
+  We recommend to update the RDoc gem to version 6.6.3.1 or later. In order to
+  ensure compatibility with bundled version in older Ruby series, you may
+  update as follows instead:
+
+  * For Ruby 3.0 users: Update to `rdoc` 6.3.4.1
+  * For Ruby 3.1 users: Update to `rdoc` 6.4.1.1
+  * For Ruby 3.2 users: Update to `rdoc` 6.5.1.1
+
+  You can use `gem update rdoc` to update it. If you are using bundler, please
+  add `gem "rdoc", ">= 6.6.3.1"` to your `Gemfile`.
+
+  Note: 6.3.4, 6.4.1, 6.5.1 and 6.6.3 have a incorrect fix. We recommend to
+  upgrade 6.3.4.1, 6.4.1.1, 6.5.1.1 and 6.6.3.1 instead of them.
+patched_versions:
+  - "~> 6.3.4, >= 6.3.4.1"
+  - "~> 6.4.1, >= 6.4.1.1"
+  - ">=  6.5.1.1"