CVE-2023-28756

Summary

CVE	CVE-2023-28756
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2023-03-31 04:15:00 UTC
Updated	2024-01-24 05:15:00 UTC
Description	A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

Risk And Classification

Problem Types: CWE-1333

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Fedoraproject	Fedora	36	All	All	All
Operating System	Fedoraproject	Fedora	37	All	All	All
Operating System	Fedoraproject	Fedora	38	All	All	All
Application	Ruby-lang	Ruby	All	All	All	All
Application	Ruby-lang	Time	0.1.0	All	All	All
Application	Ruby-lang	Time	0.2.1	All	All	All

References

Reference	Source	Link	Tags
Releases · ruby/time · GitHub	MISC	github.com
[SECURITY] Fedora 37 Update: ruby-3.1.4-175.fc37 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
CVE-2023-28756 Ruby Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Ruby Releases	MISC	www.ruby-lang.org
Ruby 3.2.0 Released	MISC	www.ruby-lang.org
CVE-2023-28756: ReDoS vulnerability in Time	CONFIRM	www.ruby-lang.org
[SECURITY] Fedora 36 Update: ruby-3.1.4-175.fc36 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 37 Update: ruby-3.1.4-175.fc37 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Ruby: Multiple vulnerabilities (GLSA 202401-27) — Gentoo security		security.gentoo.org
[SECURITY] [DLA 3408-1] jruby security update	MLIST	lists.debian.org
[SECURITY] Fedora 36 Update: ruby-3.1.4-175.fc36 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 38 Update: ruby-3.2.2-180.fc38 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 38 Update: ruby-3.2.2-180.fc38 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

160771 Oracle Enterprise Linux Security Update for ruby:2.7 (ELSA-2023-3821)
161185 Oracle Enterprise Linux Security Update for ruby:2.5 (ELSA-2023-7025)
161427 Oracle Enterprise Linux Security Update for ruby:3.1 (ELSA-2024-1431)
161454 Oracle Enterprise Linux Security Update for ruby:3.1 (ELSA-2024-1576)
181757 Debian Security Update for jruby (DLA 3408-1)
181830 Debian Security Update for ruby2.5 (DLA 3447-1)
199319 Ubuntu Security Notification for Ruby Vulnerabilities (USN-6055-1)
199350 Ubuntu Security Notification for Ruby Vulnerabilities (USN-6087-1)
199434 Ubuntu Security Notification for Ruby Vulnerabilities (USN-6181-1)
241557 Red Hat Update for rh-ruby27-ruby security (RHSA-2023:3291)
241760 Red Hat Update for ruby:2.7 security (RHSA-2023:3821)
242449 Red Hat Update for ruby:2.5 (RHSA-2023:7025)
243097 Red Hat Update for ruby:3.1 security (RHSA-2024:1431)
243151 Red Hat Update for ruby:3.1 security (RHSA-2024:1576)
283908 Fedora Security Update for ruby (FEDORA-2023-a7be7ea1aa)
283913 Fedora Security Update for ruby (FEDORA-2023-f58d72c700)
284200 Fedora Security Update for ruby (FEDORA-2023-6b924d3b75)
296100 Oracle Solaris 11.4 Support Repository Update (SRU) 58.144.3 Missing (CPUAPR2023)
355241 Amazon Linux Security Advisory for ruby3.2 : ALAS2023-2023-158
355435 Amazon Linux Security Advisory for ruby : ALAS2-2023-2084
356299 Amazon Linux Security Advisory for ruby : ALASRUBY3.0-2023-001
378703 Alibaba Cloud Linux Security Update for ruby:2.7 (ALINUX3-SA-2023:0080)
502701 Alpine Linux Security Update for ruby
502702 Alpine Linux Security Update for ruby
502703 Alpine Linux Security Update for ruby
504380 Alpine Linux Security Update for ruby
672891 EulerOS Security Update for ruby (EulerOS-SA-2023-1828)
672912 EulerOS Security Update for ruby (EulerOS-SA-2023-1810)
673172 EulerOS Security Update for ruby (EulerOS-SA-2023-2321)
673186 EulerOS Security Update for ruby (EulerOS-SA-2023-2341)
673497 EulerOS Security Update for ruby (EulerOS-SA-2023-2708)
673836 EulerOS Security Update for ruby (EulerOS-SA-2023-2666)
691105 Free Berkeley Software Distribution (FreeBSD) Security Update for rubygem (6bd2773c-cf1a-11ed-bd44-080027f5fec9)
710844 Gentoo Linux Ruby Multiple Vulnerabilities (GLSA 202401-27)
755145 SUSE Enterprise Linux Security Update for ruby2.5 (SUSE-SU-2023:4176-1)
941165 AlmaLinux Security Update for ruby:2.7 (ALSA-2023:3821)
941437 AlmaLinux Security Update for ruby:2.5 (ALSA-2023:7025)
941625 AlmaLinux Security Update for ruby:3.1 (ALSA-2024:1431)
941633 AlmaLinux Security Update for ruby:3.1 (ALSA-2024:1576)
961138 Rocky Linux Security Update for ruby:3.1 (RLSA-2024:1431)
961149 Rocky Linux Security Update for ruby:3.1 (RLSA-2024:1576)