CVE-2023-28756

Name
CVE-2023-28756
Description
A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/
CONFIRM https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/
MISC https://github.com/ruby/time/releases/
MISC https://www.ruby-lang.org/en/downloads/releases/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/
MLIST https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
Third Party Advisory https://security.netapp.com/advisory/ntap-20230526-0004/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/
cve@mitre.org https://security.gentoo.org/glsa/202401-27

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:ruby-lang:time:0.2.1:*:*:*:*:ruby:*:* ruby-time == None == 0.2.1
cpe:2.3:a:ruby-lang:time:0.1.0:*:*:*:*:ruby:*:* ruby-time == None == 0.1.0
cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:* ruby >= None <= 2.7.7

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
ruby 3.15-main 3.0.6-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
ruby 3.14-main 2.7.8-r0 Natanael Copa <ncopa@alpinelinux.org> fixed