Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xZzU0LTY5NHAtd2dwcM0XPQ
Regular expression denial of service vulnerability (ReDoS) in date
Date’s parsing methods including Date.parse are using Regexps internally, some of which are vulnerable against regular expression denial of service. Applications and libraries that apply such methods to untrusted input may be affected.
The fix limits the input length up to 128 bytes by default instead of changing the regexps. This is because Date gem uses many Regexps and it is possible that there are still undiscovered vulnerable Regexps. For compatibility, it is allowed to remove the limitation by explicitly passing limit keywords as nil like Date.parse(str, limit: nil), but note that it may take a long time to parse.
Please update the date gem to version 3.2.1, 3.1.2, 3.0.2, and 2.0.1, or later. You can use gem update date to update it. If you are using bundler, please add gem "date", ">= 3.2.1" to your Gemfile. If you import date from the standard library rather than as a gem you should update your Ruby install to 3.0.3, 2.7.5, 2.6.9 or later.
Users unable to upgrade may consider using Date.strptime instead with a predefined date format
Date.strptime('2001-02-20', '%Y-%m-%d')
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xZzU0LTY5NHAtd2dwcM0XPQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 3 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-qg54-694p-wgpp, CVE-2021-41817
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-41817
- https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/
- https://hackerone.com/reports/1254844
- https://github.com/ruby/date/commit/3959accef8da5c128f8a8e2fd54e932a4fb253b0
- https://lists.fedoraproject.org/archives/list/[email protected]/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/date/CVE-2021-41817.yml
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/
- https://security.gentoo.org/glsa/202401-27
- https://github.com/advisories/GHSA-qg54-694p-wgpp
Blast Radius: 31.4
Affected Packages
rubygems:date
Dependent packages: 37Dependent repositories: 15,255
Downloads: 59,873,131 total
Affected Version Ranges: < 2.0.1, >= 3.0.0, < 3.0.2, >= 3.1.0, < 3.1.2, >= 3.2.0, < 3.2.1
Fixed in: 2.0.1, 3.0.2, 3.1.2, 3.2.1
All affected versions: 0.0.1, 1.0.0, 2.0.0, 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.2.0
All unaffected versions: 2.0.1, 2.0.2, 2.0.3, 3.0.2, 3.0.3, 3.1.2, 3.1.3, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4