ghsa-qg54-694p-wgpp
Vulnerability from github
Date’s parsing methods including Date.parse are using Regexps internally, some of which are vulnerable against regular expression denial of service. Applications and libraries that apply such methods to untrusted input may be affected.
The fix limits the input length up to 128 bytes by default instead of changing the regexps. This is because Date gem uses many Regexps and it is possible that there are still undiscovered vulnerable Regexps. For compatibility, it is allowed to remove the limitation by explicitly passing limit keywords as nil like Date.parse(str, limit: nil), but note that it may take a long time to parse.
Please update the date gem to version 3.2.1, 3.1.2, 3.0.2, and 2.0.1, or later. You can use gem update date to update it. If you are using bundler, please add gem "date", ">= 3.2.1" to your Gemfile. If you import date
from the standard library rather than as a gem you should update your Ruby install to 3.0.3
, 2.7.5
, 2.6.9
or later.
Users unable to upgrade may consider using Date.strptime
instead with a predefined date format
ruby
Date.strptime('2001-02-20', '%Y-%m-%d')
{ "affected": [ { "package": { "ecosystem": "RubyGems", "name": "date" }, "ranges": [ { "events": [ { "introduced": "3.2.0" }, { "fixed": "3.2.1" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "RubyGems", "name": "date" }, "ranges": [ { "events": [ { "introduced": "3.1.0" }, { "fixed": "3.1.2" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "RubyGems", "name": "date" }, "ranges": [ { "events": [ { "introduced": "3.0.0" }, { "fixed": "3.0.2" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "RubyGems", "name": "date" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "2.0.1" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2021-41817" ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "github_reviewed": true, "github_reviewed_at": "2021-11-16T00:15:43Z", "nvd_published_at": "2022-01-01T05:15:00Z", "severity": "HIGH" }, "details": "Date\u2019s parsing methods including Date.parse are using Regexps internally, some of which are vulnerable against regular expression denial of service. Applications and libraries that apply such methods to untrusted input may be affected.\n\nThe fix limits the input length up to 128 bytes by default instead of changing the regexps. This is because Date gem uses many Regexps and it is possible that there are still undiscovered vulnerable Regexps. For compatibility, it is allowed to remove the limitation by explicitly passing limit keywords as nil like Date.parse(str, limit: nil), but note that it may take a long time to parse.\n\nPlease update the date gem to version 3.2.1, 3.1.2, 3.0.2, and 2.0.1, or later. You can use gem update date to update it. If you are using bundler, please add gem \"date\", \"\u003e= 3.2.1\" to your Gemfile. If you import `date` from the standard library rather than as a gem you should update your Ruby install to `3.0.3`, `2.7.5`, `2.6.9` or later.\n\nUsers unable to upgrade may consider using `Date.strptime` instead with a predefined date format\n```ruby\nDate.strptime(\u00272001-02-20\u0027, \u0027%Y-%m-%d\u0027)\n```", "id": "GHSA-qg54-694p-wgpp", "modified": "2024-01-24T19:18:37Z", "published": "2021-11-16T00:32:30Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41817" }, { "type": "WEB", "url": "https://github.com/ruby/date/commit/3959accef8da5c128f8a8e2fd54e932a4fb253b0" }, { "type": "WEB", "url": "https://hackerone.com/reports/1254844" }, { "type": "PACKAGE", "url": "https://github.com/ruby/date" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/date/CVE-2021-41817.yml" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202401-27" }, { "type": "WEB", "url": "https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ], "summary": "Regular expression denial of service vulnerability (ReDoS) in date" }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.