CVE-2023-28756

A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

Published: Mar 31, 2023
Updated: May 10, 2024
CVE: CVE-2023-28756
GHSA: GHSA-fg7x-g82r-94qc
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWEs:

CWE-1333

Affected Software
References

Software	From	Fixed in
ruby-lang / time	0.2.1	0.2.1.x
ruby-lang / time	0.1.0	0.1.0.x
ruby-lang / ruby	-	2.7.7.x
time	0.2.0	0.2.2
time	-	0.1.1
debian / debian_linux	10.0	10.0.x
fedoraproject / fedora	36	36.x
fedoraproject / fedora	37	37.x
fedoraproject / fedora	38	38.x

https://github.com/ruby/time/releases
https://github.com/ruby/time/releases/
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/time/CVE-2023-28756.yml
https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA
https://lists.fedoraproject.org/archives/list/[email protected]/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/
https://lists.fedoraproject.org/archives/list/[email protected]/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T
https://lists.fedoraproject.org/archives/list/[email protected]/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/
https://lists.fedoraproject.org/archives/list/[email protected]/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z
https://lists.fedoraproject.org/archives/list/[email protected]/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/
https://security.gentoo.org/glsa/202401-27
https://security.netapp.com/advisory/ntap-20230526-0004
https://security.netapp.com/advisory/ntap-20230526-0004/
https://www.ruby-lang.org/en/downloads/releases
https://www.ruby-lang.org/en/downloads/releases/
https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released
https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/
https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756
https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/

Vulnerability Database

289,599

CVE-2023-28756