CVE-2024-43380

EPSS 0.79%
Veröffentlicht 19.08.2024 15:15:08
Zuletzt bearbeitet 21.08.2024 12:38:00
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

fugit parse and parse_nat stall on lengthy input

fugit contains time tools for flor and the floraison group. The fugit "natural" parser, that turns "every wednesday at 5pm" into "0 17 * * 3", accepted any length of input and went on attempting to parse it, not returning promptly, as expected. The parse call could hold the thread with no end in sight. Fugit dependents that do not check (user) input length for plausibility are impacted. A fix was released in fugit 1.11.1.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Floraison ≫ Fugit SwPlatformruby Version < 1.11.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.79%	0.515

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://github.com/floraison/fugit/commit/ad2c1c9c737213d585fff0b51c927d178b2c05a5

Patch

https://github.com/floraison/fugit/issues/104

Patch

Issue Tracking

https://github.com/floraison/fugit/security/advisories/GHSA-2m96-52r3-2f3g

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-43380

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-43380

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-43380

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-43380