7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.004 Low
EPSS
Percentile
72.7%
Date’s parsing methods including Date.parse are using Regexps internally, some of which are vulnerable against regular expression denial of service. Applications and libraries that apply such methods to untrusted input may be affected.
The fix limits the input length up to 128 bytes by default instead of changing the regexps. This is because Date gem uses many Regexps and it is possible that there are still undiscovered vulnerable Regexps. For compatibility, it is allowed to remove the limitation by explicitly passing limit keywords as nil like Date.parse(str, limit: nil), but note that it may take a long time to parse.
Please update the date gem to version 3.2.1, 3.1.2, 3.0.2, and 2.0.1, or later. You can use gem update date to update it. If you are using bundler, please add gem “date”, “>= 3.2.1” to your Gemfile. If you import date
from the standard library rather than as a gem you should update your Ruby install to 3.0.3
, 2.7.5
, 2.6.9
or later.
Users unable to upgrade may consider using Date.strptime
instead with a predefined date format
Date.strptime('2001-02-20', '%Y-%m-%d')
github.com/advisories/GHSA-qg54-694p-wgpp
github.com/ruby/date/commit/3959accef8da5c128f8a8e2fd54e932a4fb253b0
github.com/rubysec/ruby-advisory-db/blob/master/gems/date/CVE-2021-41817.yml
hackerone.com/reports/1254844
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/
lists.fedoraproject.org/archives/list/[email protected]/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/
lists.fedoraproject.org/archives/list/[email protected]/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/
nvd.nist.gov/vuln/detail/CVE-2021-41817
security.gentoo.org/glsa/202401-27
www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.004 Low
EPSS
Percentile
72.7%