7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
64.7%
Addressable is an alternative implementation to the URI implementation that
is part of Ruby’s standard library. An uncontrolled resource consumption
vulnerability exists after version 2.3.0 through version 2.7.0. Within the
URI template implementation in Addressable, a maliciously crafted template
may result in uncontrolled resource consumption, leading to denial of
service when matched against a URI. In typical usage, templates would not
normally be read from untrusted user input, but nonetheless, no previous
security advisory for Addressable has cautioned against doing this. Users
of the parsing capabilities in Addressable but not the URI template
capabilities are unaffected. The vulnerability is patched in version 2.8.0.
As a workaround, only create Template objects from trusted sources that
have been validated not to produce catastrophic backtracking.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | ruby-addressable | < any | UNKNOWN |
ubuntu | 20.04 | noarch | ruby-addressable | < any | UNKNOWN |
ubuntu | 16.04 | noarch | ruby-addressable | < any | UNKNOWN |
github.com/sporkmonger/addressable/commit/0d8a3127e35886ce9284810a7f2438bff6b43cbc
github.com/sporkmonger/addressable/commit/b48ff03347a6d46e8dc674e242ce74c6381962a5#diff-fb36d3dc67e6565ffde17e666a98697f48e76dac38fabf1bb9e97cdf3b583d76
github.com/sporkmonger/addressable/security/advisories/GHSA-jxhc-q857-3j6g
launchpad.net/bugs/cve/CVE-2021-32740
nvd.nist.gov/vuln/detail/CVE-2021-32740
security-tracker.debian.org/tracker/CVE-2021-32740
www.cve.org/CVERecord?id=CVE-2021-32740
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
64.7%