CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
Low
fugit contains time tools for flor and the floraison group. The fugit
“natural” parser, that turns “every wednesday at 5pm” into “0 17 * * 3”,
accepted any length of input and went on attempting to parse it, not
returning promptly, as expected. The parse call could hold the thread with
no end in sight. Fugit dependents that do not check (user) input length for
plausibility are impacted. A fix was released in fugit 1.11.1.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | ruby-fugit | < any | UNKNOWN |
ubuntu | 22.04 | noarch | ruby-fugit | < any | UNKNOWN |
ubuntu | 24.04 | noarch | ruby-fugit | < any | UNKNOWN |
github.com/floraison/fugit/commit/025ad7bb76590d3360750d5617b235a23908e5bb (v1.11.1)
github.com/floraison/fugit/commit/2a11805444d9ed036ee8570b88cd2b6df450ee84 (v1.11.1)
github.com/floraison/fugit/commit/6a7527497c0bb9196efe503e3d9b5271128a8ee1 (v1.11.1)
github.com/floraison/fugit/commit/767ef550281bcdc8782233840f98cf8487340476 (v1.11.1)
github.com/floraison/fugit/commit/a9a262873450eaf5671747f846a6ec1e5f7d87c1 (v1.11.1)
github.com/floraison/fugit/commit/ad2c1c9c737213d585fff0b51c927d178b2c05a5
github.com/floraison/fugit/commit/ad2c1c9c737213d585fff0b51c927d178b2c05a5 (v1.11.1)
github.com/floraison/fugit/issues/104
github.com/floraison/fugit/security/advisories/GHSA-2m96-52r3-2f3g
launchpad.net/bugs/cve/CVE-2024-43380
nvd.nist.gov/vuln/detail/CVE-2024-43380
security-tracker.debian.org/tracker/CVE-2024-43380
www.cve.org/CVERecord?id=CVE-2024-43380