5.3

CVE-2023-28756

A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Ruby-langRuby Version <= 2.7.7
Ruby-langTime Version0.1.0 SwPlatformruby
Ruby-langTime Version0.2.1 SwPlatformruby
DebianDebian Linux Version10.0
FedoraprojectFedora Version36
FedoraprojectFedora Version37
FedoraprojectFedora Version38
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.45% 0.823
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
Third Party Advisory
Mailing List
https://security.gentoo.org/glsa/202401-27
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/
https://www.ruby-lang.org/en/downloads/releases/
Release Notes
https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/
Release Notes
https://github.com/ruby/time/releases/
Release Notes
https://security.netapp.com/advisory/ntap-20230526-0004/
Third Party Advisory
https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html