github - GHSA-qg54-694p-wgpp

GHSA-qg54-694p-wgpp

Vulnerability from github

Published

2021-11-16 00:32

Modified

2024-01-24 19:18

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Regular expression denial of service vulnerability (ReDoS) in date

Details

Date’s parsing methods including Date.parse are using Regexps internally, some of which are vulnerable against regular expression denial of service. Applications and libraries that apply such methods to untrusted input may be affected.

The fix limits the input length up to 128 bytes by default instead of changing the regexps. This is because Date gem uses many Regexps and it is possible that there are still undiscovered vulnerable Regexps. For compatibility, it is allowed to remove the limitation by explicitly passing limit keywords as nil like Date.parse(str, limit: nil), but note that it may take a long time to parse.

Please update the date gem to version 3.2.1, 3.1.2, 3.0.2, and 2.0.1, or later. You can use gem update date to update it. If you are using bundler, please add gem "date", ">= 3.2.1" to your Gemfile. If you import date from the standard library rather than as a gem you should update your Ruby install to 3.0.3, 2.7.5, 2.6.9 or later.

Users unable to upgrade may consider using Date.strptime instead with a predefined date format ruby Date.strptime('2001-02-20', '%Y-%m-%d')

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "date"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.0"
            },
            {
              "fixed": "3.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "date"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "3.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "date"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "date"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41817"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-16T00:15:43Z",
    "nvd_published_at": "2022-01-01T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "Date\u2019s parsing methods including Date.parse are using Regexps internally, some of which are vulnerable against regular expression denial of service. Applications and libraries that apply such methods to untrusted input may be affected.\n\nThe fix limits the input length up to 128 bytes by default instead of changing the regexps. This is because Date gem uses many Regexps and it is possible that there are still undiscovered vulnerable Regexps. For compatibility, it is allowed to remove the limitation by explicitly passing limit keywords as nil like Date.parse(str, limit: nil), but note that it may take a long time to parse.\n\nPlease update the date gem to version 3.2.1, 3.1.2, 3.0.2, and 2.0.1, or later. You can use gem update date to update it. If you are using bundler, please add gem \"date\", \"\u003e= 3.2.1\" to your Gemfile. If you import `date` from the standard library rather than as a gem you should update your Ruby install to `3.0.3`, `2.7.5`, `2.6.9` or later.\n\nUsers unable to upgrade may consider using `Date.strptime` instead with a predefined date format\n```ruby\nDate.strptime(\u00272001-02-20\u0027, \u0027%Y-%m-%d\u0027)\n```",
  "id": "GHSA-qg54-694p-wgpp",
  "modified": "2024-01-24T19:18:37Z",
  "published": "2021-11-16T00:32:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41817"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/date/commit/3959accef8da5c128f8a8e2fd54e932a4fb253b0"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1254844"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ruby/date"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/date/CVE-2021-41817.yml"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202401-27"
    },
    {
      "type": "WEB",
      "url": "https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular expression denial of service vulnerability (ReDoS) in date"
}

cve-2021-41817

Vulnerability from cvelistv5

Published

2022-01-01 00:00

Modified

2024-08-04 03:22

Severity ?

Summary

Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.

References

▼	URL	Tags
	https://hackerone.com/reports/1254844
	https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/	vendor-advisory
	https://security.gentoo.org/glsa/202401-27	vendor-advisory

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:22:24.342Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/1254844"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/"
          },
          {
            "name": "FEDORA-2022-82a9edac27",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/"
          },
          {
            "name": "FEDORA-2022-8cf0124add",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/"
          },
          {
            "name": "GLSA-202401-27",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202401-27"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-24T05:06:33.551146",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://hackerone.com/reports/1254844"
        },
        {
          "url": "https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/"
        },
        {
          "name": "FEDORA-2022-82a9edac27",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/"
        },
        {
          "name": "FEDORA-2022-8cf0124add",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/"
        },
        {
          "name": "GLSA-202401-27",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202401-27"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-41817",
    "datePublished": "2022-01-01T00:00:00",
    "dateReserved": "2021-09-29T00:00:00",
    "dateUpdated": "2024-08-04T03:22:24.342Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

gsd-2021-41817

Vulnerability from gsd

Modified

2021-11-15 00:00

Details

Date's parsing methods including `Date.parse` are using Regexps internally, some of which are vulnerable against regular expression denial of service. Applications and libraries that apply such methods to untrusted input may be affected. The fix limits the input length up to 128 bytes by default instead of changing the regexps. This is because Date gem uses many Regexps and it is possible that there are still undiscovered vulnerable Regexps. For compatibility, it is allowed to remove the limitation by explicitly passing `limit` keywords as `nil` like `Date.parse(str, limit: nil)`, but note that it may take a long time to parse. Please update the date gem to version 3.2.1, 3.1.2, 3.0.2, and 2.0.1, or later. You can use `gem update date` to update it. If you are using bundler, please add `gem "date", ">= 3.2.1"` to your `Gemfile`.

Aliases

CVE-2021-41817

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-41817",
    "description": "Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.",
    "id": "GSD-2021-41817",
    "references": [
      "https://www.suse.com/security/cve/CVE-2021-41817.html",
      "https://www.debian.org/security/2022/dsa-5066",
      "https://www.debian.org/security/2022/dsa-5067",
      "https://access.redhat.com/errata/RHSA-2022:0708",
      "https://access.redhat.com/errata/RHSA-2022:0582",
      "https://access.redhat.com/errata/RHSA-2022:0581",
      "https://access.redhat.com/errata/RHSA-2022:0544",
      "https://access.redhat.com/errata/RHSA-2022:0543",
      "https://ubuntu.com/security/CVE-2021-41817",
      "https://advisories.mageia.org/CVE-2021-41817.html",
      "https://security.archlinux.org/CVE-2021-41817",
      "https://linux.oracle.com/cve/CVE-2021-41817.html",
      "https://access.redhat.com/errata/RHSA-2022:5779",
      "https://access.redhat.com/errata/RHSA-2022:6447",
      "https://access.redhat.com/errata/RHSA-2022:6450",
      "https://access.redhat.com/errata/RHSA-2022:6855",
      "https://access.redhat.com/errata/RHSA-2022:6856"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "date",
            "purl": "pkg:gem/date"
          }
        }
      ],
      "aliases": [
        "CVE-2021-41817",
        "GHSA-qg54-694p-wgpp"
      ],
      "details": "Date\u0027s parsing methods including `Date.parse` are using Regexps internally, some of\nwhich are vulnerable against regular expression denial of service. Applications and\nlibraries that apply such methods to untrusted input may be affected.\n\nThe fix limits the input length up to 128 bytes by default instead of changing the\nregexps. This is because Date gem uses many Regexps and it is possible that there are\nstill undiscovered vulnerable Regexps. For compatibility, it is allowed to remove the\nlimitation by explicitly passing `limit` keywords as `nil` like\n`Date.parse(str, limit: nil)`, but note that it may take a long time to parse.\n\nPlease update the date gem to version 3.2.1, 3.1.2, 3.0.2, and 2.0.1, or later.  You\ncan use `gem update date` to update it.  If you are using bundler, please add\n`gem \"date\", \"\u003e= 3.2.1\"` to your `Gemfile`.",
      "id": "GSD-2021-41817",
      "modified": "2021-11-15T00:00:00.000Z",
      "published": "2021-11-15T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 7.5,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Regular Expression Denial of Service Vulnerability of Date Parsing Methods"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2021-41817",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://hackerone.com/reports/1254844",
            "refsource": "MISC",
            "url": "https://hackerone.com/reports/1254844"
          },
          {
            "name": "https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/",
            "refsource": "CONFIRM",
            "url": "https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/"
          },
          {
            "name": "FEDORA-2022-82a9edac27",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/"
          },
          {
            "name": "FEDORA-2022-8cf0124add",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/"
          },
          {
            "name": "GLSA-202401-27",
            "refsource": "GENTOO",
            "url": "https://security.gentoo.org/glsa/202401-27"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2021-41817",
      "cvss_v3": 7.5,
      "date": "2021-11-15",
      "description": "Date\u0027s parsing methods including `Date.parse` are using Regexps internally, some of\nwhich are vulnerable against regular expression denial of service. Applications and\nlibraries that apply such methods to untrusted input may be affected.\n\nThe fix limits the input length up to 128 bytes by default instead of changing the\nregexps. This is because Date gem uses many Regexps and it is possible that there are\nstill undiscovered vulnerable Regexps. For compatibility, it is allowed to remove the\nlimitation by explicitly passing `limit` keywords as `nil` like\n`Date.parse(str, limit: nil)`, but note that it may take a long time to parse.\n\nPlease update the date gem to version 3.2.1, 3.1.2, 3.0.2, and 2.0.1, or later.  You\ncan use `gem update date` to update it.  If you are using bundler, please add\n`gem \"date\", \"\u003e= 3.2.1\"` to your `Gemfile`.",
      "gem": "date",
      "ghsa": "qg54-694p-wgpp",
      "patched_versions": [
        "~\u003e 2.0.1",
        "~\u003e 3.0.2",
        "~\u003e 3.1.2",
        "\u003e= 3.2.1"
      ],
      "title": "Regular Expression Denial of Service Vulnerability of Date Parsing Methods",
      "url": "https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c2.0.1||\u003e=3.0.0 \u003c3.0.2||\u003e=3.1.0 \u003c3.1.2||=3.2.0",
          "affected_versions": "All versions before 2.0.1, all versions starting from 3.0.0 before 3.0.2, all versions starting from 3.1.0 before 3.1.2, version 3.2.0",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-1333",
            "CWE-937"
          ],
          "date": "2023-08-08",
          "description": "Date includes a ReDoS vulnerability. ",
          "fixed_versions": [
            "2.0.1",
            "3.0.2",
            "3.1.2",
            "3.2.1"
          ],
          "identifier": "CVE-2021-41817",
          "identifiers": [
            "CVE-2021-41817",
            "GHSA-qg54-694p-wgpp"
          ],
          "not_impacted": "All versions starting from 2.0.1 before 3.0.0, all versions starting from 3.0.2 before 3.1.0, all versions starting from 3.1.2 before 3.2.0, all versions after 3.2.0",
          "package_slug": "gem/date",
          "pubdate": "2022-01-01",
          "solution": "Upgrade to versions 2.0.1, 3.0.2, 3.1.2, 3.2.1 or above.",
          "title": "Regular expression denial of service vulnerability (ReDoS) in date",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-41817",
            "https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/",
            "https://hackerone.com/reports/1254844",
            "https://github.com/advisories/GHSA-qg54-694p-wgpp"
          ],
          "uuid": "84a0ec8a-f939-4e52-b971-7c3688115bb9"
        }
      ]
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:ruby-lang:date:*:*:*:*:*:ruby:*:*",
                    "matchCriteriaId": "4F906DCD-2E20-4503-8D48-34A8DD858A62",
                    "versionEndExcluding": "2.0.1",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:ruby-lang:date:*:*:*:*:*:ruby:*:*",
                    "matchCriteriaId": "553D1CED-8FDA-45B1-A1D9-866A915E581E",
                    "versionEndExcluding": "3.0.2",
                    "versionStartIncluding": "3.0.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:ruby-lang:date:*:*:*:*:*:ruby:*:*",
                    "matchCriteriaId": "CD9C7701-F92C-476E-B833-C990410CDB55",
                    "versionEndExcluding": "3.1.2",
                    "versionStartIncluding": "3.1.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:ruby-lang:date:3.2.0:*:*:*:*:ruby:*:*",
                    "matchCriteriaId": "243E15F0-8B4A-480E-8ECF-016D4D6611A3",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "77EF3309-2FD3-469A-BAA2-D6425F259B27",
                    "versionEndExcluding": "2.6.9",
                    "versionStartIncluding": "2.6.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "D7B53365-0B48-4408-A4A7-9A3744F89F07",
                    "versionEndExcluding": "2.7.5",
                    "versionStartIncluding": "2.7.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "D4499575-33A0-47D7-A88B-0E6FD2340792",
                    "versionEndExcluding": "3.0.3",
                    "versionStartIncluding": "3.0.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "749804DA-4B27-492A-9ABA-6BB562A6B3AC",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
                    "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
                    "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:suse:linux_enterprise:12.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "CBC8B78D-1131-4F21-919D-8AC79A410FB9",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:suse:linux_enterprise:15.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "1607628F-77A7-4C1F-98DF-0DC50AE8627D",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:opensuse:factory:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "E29492E1-43D8-43BF-94E3-26A762A66FAA",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
                    "matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1."
          },
          {
            "lang": "es",
            "value": "Date.parse en  date gem versiones hasta 3.2.0 para Ruby, permite ReDoS (expresi\u00f3n regular de denegaci\u00f3n de servicio) por medio de una cadena larga. Las versiones corregidas son 3.2.1, 3.1.2, 3.0.2 y 2.0.1.\n"
          }
        ],
        "id": "CVE-2021-41817",
        "lastModified": "2024-01-24T05:15:11.520",
        "metrics": {
          "cvssMetricV2": [
            {
              "acInsufInfo": false,
              "baseSeverity": "MEDIUM",
              "cvssData": {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "availabilityImpact": "PARTIAL",
                "baseScore": 5.0,
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
                "version": "2.0"
              },
              "exploitabilityScore": 10.0,
              "impactScore": 2.9,
              "obtainAllPrivilege": false,
              "obtainOtherPrivilege": false,
              "obtainUserPrivilege": false,
              "source": "nvd@nist.gov",
              "type": "Primary",
              "userInteractionRequired": false
            }
          ],
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2022-01-01T05:15:08.197",
        "references": [
          {
            "source": "cve@mitre.org",
            "tags": [
              "Permissions Required"
            ],
            "url": "https://hackerone.com/reports/1254844"
          },
          {
            "source": "cve@mitre.org",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/"
          },
          {
            "source": "cve@mitre.org",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/"
          },
          {
            "source": "cve@mitre.org",
            "url": "https://security.gentoo.org/glsa/202401-27"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Exploit",
              "Vendor Advisory"
            ],
            "url": "https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/"
          }
        ],
        "sourceIdentifier": "cve@mitre.org",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-1333"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

Action not permitted

GHSA-qg54-694p-wgpp

Vulnerability from github

cve-2021-41817

Vulnerability from cvelistv5

gsd-2021-41817

Vulnerability from gsd

Tags