Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mZzd4LWc4MnItOTRxY84AAyet
Ruby Time component ReDoS issue
A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.
Permalink: https://github.com/advisories/GHSA-fg7x-g82r-94qcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mZzd4LWc4MnItOTRxY84AAyet
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: 10 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-fg7x-g82r-94qc, CVE-2023-28756
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-28756
- https://www.ruby-lang.org/en/downloads/releases/
- https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/
- https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/time/CVE-2023-28756.yml
- https://lists.fedoraproject.org/archives/list/[email protected]/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/
- https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
- https://security.netapp.com/advisory/ntap-20230526-0004/
- https://github.com/ruby/time/releases/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/
- https://security.gentoo.org/glsa/202401-27
- https://github.com/advisories/GHSA-fg7x-g82r-94qc
Blast Radius: 20.7
Affected Packages
rubygems:time
Dependent packages: 16Dependent repositories: 576
Downloads: 6,994,233 total
Affected Version Ranges: < 0.1.1, >= 0.2.0, < 0.2.2
Fixed in: 0.1.1, 0.2.2
All affected versions: 0.1.0, 0.2.0, 0.2.1
All unaffected versions: 0.1.1, 0.2.2, 0.3.0, 0.4.0, 0.4.1