CVE-2023-28756

A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.
References
Link Resource
https://github.com/ruby/time/releases/ Release Notes
https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/
https://security.gentoo.org/glsa/202401-27
https://security.netapp.com/advisory/ntap-20230526-0004/ Third Party Advisory
https://www.ruby-lang.org/en/downloads/releases/ Release Notes
https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/ Release Notes
https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/ Vendor Advisory
https://github.com/ruby/time/releases/ Release Notes
https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/
https://security.gentoo.org/glsa/202401-27
https://security.netapp.com/advisory/ntap-20230526-0004/ Third Party Advisory
https://www.ruby-lang.org/en/downloads/releases/ Release Notes
https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/ Release Notes
https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/ Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*
cpe:2.3:a:ruby-lang:time:0.1.0:*:*:*:*:ruby:*:*
cpe:2.3:a:ruby-lang:time:0.2.1:*:*:*:*:ruby:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-03-31 04:15

Updated : 2024-11-21 07:55


NVD link : CVE-2023-28756

Mitre link : CVE-2023-28756

CVE.ORG link : CVE-2023-28756


JSON object : View

Products Affected

fedoraproject

  • fedora

debian

  • debian_linux

ruby-lang

  • time
  • ruby
CWE
CWE-1333

Inefficient Regular Expression Complexity