CVE-2021-41817

Опубликовано: 01 янв. 2022

Источник: debian

EPSS Низкий

Описание

Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.

Пакеты

Пакет	Статус	Версия исправления	Тип
ruby3.0	fixed	3.0.3-1	package
ruby2.7	fixed	2.7.5-1	package
ruby2.5	removed		package
ruby2.3	removed		package

Примечания

Fixed in Ruby 3.0.3, 2.7.5, 2.6.9
https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/
Fixed by: https://github.com/ruby/date/commit/3959accef8da5c128f8a8e2fd54e932a4fb253b0 (v3.2.2)
Followups to mimic previous behaviour:
https://github.com/ruby/date/commit/8f2d7a0c7e52cea8333824bd527822e5449ed83d (v3.2.2)
https://github.com/ruby/date/commit/376c65942bd1d81803f14d37351737df60ec4664 (v3.2.2)

EPSS

Процентиль: 61%

0.00422

Низкий

Связанные уязвимости

CVE-2021-41817

CVSS3: 7.5

ubuntu

больше 3 лет назад

Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.

CVE-2021-41817

CVSS3: 7.5

redhat

больше 3 лет назад

Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.

CVE-2021-41817

CVSS3: 7.5

nvd

больше 3 лет назад

Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.

CVE-2021-41817

CVSS3: 7.5

msrc

больше 3 лет назад

Описание отсутствует

GHSA-qg54-694p-wgpp

CVSS3: 7.5

github

больше 3 лет назад

Regular expression denial of service vulnerability (ReDoS) in date

EPSS

Процентиль: 61%

0.00422

Низкий