QID 356252
Date Published: 2023-09-28
QID 356252: Amazon Linux Security Advisory for ruby : ALASRUBY2.6-2023-002
A flaw was found in ruby, where the date object was found to be vulnerable to a regular expression denial of service (redos) during the parsing of dates.
This flaw allows an attacker to hang a ruby application by providing a specially crafted date string.
The highest threat to this vulnerability is system availability. (
( CVE-2021-41817) cgi::cookie.parse in ruby through 2.6.8 mishandles security prefixes in cookie names.
This also affects the cgi gem through 0.3.0 for ruby. (
( CVE-2021-41819)
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
Solution
Please refer to Amazon advisory: ALASRUBY2.6-2023-002 for affected packages and patching details, or update with your package manager.
Vendor References
- ALASRUBY2.6-2023-002 -
alas.aws.amazon.com/AL2/ALASRUBY2.6-2023-002.html
CVEs related to QID 356252
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| ALASRUBY2.6-2023-002 | amazon linux 2 |
alas.aws.amazon.com/AL2/ALASRUBY2.6-2023-002.html |