CVE-2013-4363

Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.

Published: Oct 18, 2013
Updated: May 9, 2024
CVE: CVE-2013-4363
GHSA: GHSA-9qvm-2vhf-q649
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P

CWEs:

CWE-310

Affected Software
References

Software	From	Fixed in
rubygems / rubygems	1.8.24	1.8.24.x
rubygems / rubygems	1.8.16	1.8.16.x
rubygems / rubygems	2.1.0-rc2	2.1.0-rc2.x
rubygems / rubygems	2.0.0-rc2	2.0.0-rc2.x
rubygems / rubygems	2.0.0-preview2.1	2.0.0-preview2.1.x
rubygems / rubygems	2.0.6	2.0.6.x
rubygems / rubygems	1.8.20	1.8.20.x
rubygems / rubygems	1.8.0	1.8.0.x
rubygems / rubygems	2.0.5	2.0.5.x
rubygems / rubygems	2.0.4	2.0.4.x
rubygems / rubygems	1.8.8	1.8.8.x
rubygems / rubygems	1.8.12	1.8.12.x
rubygems / rubygems	1.8.22	1.8.22.x
rubygems / rubygems	1.8.17	1.8.17.x
rubygems / rubygems	2.1.1	2.1.1.x
rubygems / rubygems	1.8.15	1.8.15.x
rubygems / rubygems	1.8.5	1.8.5.x
rubygems / rubygems	2.1.4	2.1.4.x
rubygems / rubygems	1.8.21	1.8.21.x
rubygems / rubygems	2.0.0-rc1	2.0.0-rc1.x
rubygems / rubygems	1.8.2	1.8.2.x
rubygems / rubygems	1.8.26	1.8.26.x
rubygems / rubygems	1.8.9	1.8.9.x
rubygems / rubygems	2.0.0-preview2.2	2.0.0-preview2.2.x
rubygems / rubygems	2.0.0-preview2	2.0.0-preview2.x
rubygems / rubygems	2.0.3	2.0.3.x
rubygems / rubygems	1.8.6	1.8.6.x
rubygems / rubygems	1.8.14	1.8.14.x
rubygems / rubygems	1.8.10	1.8.10.x
rubygems / rubygems	2.1.2	2.1.2.x
rubygems / rubygems	2.0.0	2.0.0.x
rubygems / rubygems	1.8.19	1.8.19.x
rubygems / rubygems	1.8.13	1.8.13.x
rubygems / rubygems	1.8.3	1.8.3.x
rubygems / rubygems	2.0.9	2.0.9.x
rubygems / rubygems	1.8.18	1.8.18.x
rubygems / rubygems	1.8.25	1.8.25.x
rubygems / rubygems	2.0.2	2.0.2.x
rubygems / rubygems	2.1.3	2.1.3.x
rubygems / rubygems	-	1.8.23.x
rubygems / rubygems	1.8.7	1.8.7.x
rubygems / rubygems	1.8.1	1.8.1.x
rubygems / rubygems	2.0.7	2.0.7.x
rubygems / rubygems	2.0.1	2.0.1.x
rubygems / rubygems	2.1.0-rc1	2.1.0-rc1.x
rubygems / rubygems	2.1.0	2.1.0.x
rubygems / rubygems	1.8.4	1.8.4.x
rubygems / rubygems	2.0.8	2.0.8.x
rubygems / rubygems	1.8.11	1.8.11.x
ruby-lang / ruby	1.9.3-p426	1.9.3-p426.x
ruby-lang / ruby	2.0.0	2.0.0.x
ruby-lang / ruby	1.9.3-p286	1.9.3-p286.x
ruby-lang / ruby	1.9.3-p385	1.9.3-p385.x
ruby-lang / ruby	1.9.3-p383	1.9.3-p383.x
ruby-lang / ruby	2.0.0-p195	2.0.0-p195.x
ruby-lang / ruby	1.9.3-p429	1.9.3-p429.x
ruby-lang / ruby	2.0	2.0.x
ruby-lang / ruby	2.0.0-preview1	2.0.0-preview1.x
ruby-lang / ruby	1.9.2	1.9.2.x
ruby-lang / ruby	1.9.1	1.9.1.x
ruby-lang / ruby	2.0.0-p247	2.0.0-p247.x
ruby-lang / ruby	2.0.0-p0	2.0.0-p0.x
ruby-lang / ruby	1.9.3-p125	1.9.3-p125.x
ruby-lang / ruby	2.0.0-rc1	2.0.0-rc1.x
ruby-lang / ruby	2.0.0-preview2	2.0.0-preview2.x
ruby-lang / ruby	1.9.3-p194	1.9.3-p194.x
ruby-lang / ruby	1.9.3	1.9.3.x
ruby-lang / ruby	1.9	1.9.x
ruby-lang / ruby	1.9.3-p392	1.9.3-p392.x
ruby-lang / ruby	2.0.0-rc2	2.0.0-rc2.x
ruby-lang / ruby	1.9.3-p0	1.9.3-p0.x
rubygems-update	-	1.8.23.2
rubygems-update	1.8.24	1.8.27
rubygems-update	2.0.0	2.0.10
rubygems-update	2.1.0	2.1.5

Vulnerability Database

289,599

CVE-2013-4363