GoogleOSV:GHSA-FG7X-G82R-94QCRuby Time component ReDoS issue
A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.
References
github.com/ruby/time
github.com/ruby/time/releases
github.com/rubysec/ruby-advisory-db/blob/master/gems/time/CVE-2023-28756.yml
lists.debian.org/debian-lts-announce/2023/04/msg00033.html
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z
lists.fedoraproject.org/archives/list/[email protected]/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA
lists.fedoraproject.org/archives/list/[email protected]/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T
lists.fedoraproject.org/archives/list/[email protected]/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z
nvd.nist.gov/vuln/detail/CVE-2023-28756
security.gentoo.org/glsa/202401-27
security.netapp.com/advisory/ntap-20230526-0004
www.ruby-lang.org/en/downloads/releases
www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released
www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756
Related
