CVE-2021-41817

Name
CVE-2021-41817
Description
Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://hackerone.com/reports/1254844
CONFIRM https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/
cve@mitre.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/
cve@mitre.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/
cve@mitre.org https://security.gentoo.org/glsa/202401-27

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:ruby-lang:date:*:*:*:*:*:ruby:*:* ruby-date >= None < 2.0.1
cpe:2.3:a:ruby-lang:date:*:*:*:*:*:ruby:*:* ruby-date >= 3.0.0 < 3.0.2
cpe:2.3:a:ruby-lang:date:*:*:*:*:*:ruby:*:* ruby-date >= 3.1.0 < 3.1.2
cpe:2.3:a:ruby-lang:date:3.2.0:*:*:*:*:ruby:*:* ruby-date == None == 3.2.0
cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:* ruby >= 2.6.0 < 2.6.9
cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:* ruby >= 2.7.0 < 2.7.5
cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:* ruby >= 3.0.0 < 3.0.3

Vulnerable and fixed packages

Source package Branch Version Maintainer Status