Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    1 vulnerability by floraison

    CVE-2024-43380 (GCVE-0-2024-43380)

    Vulnerability from cvelistv5 – Published: 2024-08-19 14:37 – Updated: 2024-09-03 15:03
    VLAI
    Title
    fugit parse and parse_nat stall on lengthy input
    Summary
    fugit contains time tools for flor and the floraison group. The fugit "natural" parser, that turns "every wednesday at 5pm" into "0 17 * * 3", accepted any length of input and went on attempting to parse it, not returning promptly, as expected. The parse call could hold the thread with no end in sight. Fugit dependents that do not check (user) input length for plausibility are impacted. A fix was released in fugit 1.11.1.
    Severity
    5.3 (Medium)
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    floraison fugit Affected: < 1.11.1
    		Create a notification for this product.
    floraison fugit Affected: 0 , < 1.11.1 (custom)
        cpe:2.3:a:floraison:fugit:*:*:*:*:*:*:*:*
    		 Create a notification for this product.
    Show details on NVD website
    To clipboard 

    {
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:floraison:fugit:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "fugit",
            "vendor": "floraison",
            "versions": [
              {
                "lessThan": "1.11.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-43380",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-19T17:52:17.418624Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-03T15:03:00.904Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "fugit",
          "vendor": "floraison",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.11.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "fugit contains time tools for flor and the floraison group. The fugit \"natural\" parser, that turns \"every wednesday at 5pm\" into \"0 17 * * 3\", accepted any length of input and went on attempting to parse it, not returning promptly, as expected. The parse call could hold the thread with no end in sight. Fugit dependents that do not check (user) input length for plausibility are impacted. A fix was released in fugit 1.11.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-19T14:37:39.532Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/floraison/fugit/security/advisories/GHSA-2m96-52r3-2f3g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/floraison/fugit/security/advisories/GHSA-2m96-52r3-2f3g"
        },
        {
          "name": "https://github.com/floraison/fugit/issues/104",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/floraison/fugit/issues/104"
        },
        {
          "name": "https://github.com/floraison/fugit/commit/ad2c1c9c737213d585fff0b51c927d178b2c05a5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/floraison/fugit/commit/ad2c1c9c737213d585fff0b51c927d178b2c05a5"
        }
      ],
      "source": {
        "advisory": "GHSA-2m96-52r3-2f3g",
        "discovery": "UNKNOWN"
      },
      "title": "fugit parse and parse_nat stall on lengthy input"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-43380",
    "datePublished": "2024-08-19T14:37:39.532Z",
    "dateReserved": "2024-08-09T14:23:55.514Z",
    "dateUpdated": "2024-09-03T15:03:00.904Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}