gsd-2021-32740
Vulnerability from gsd
Modified
2021-07-12 00:00
Details
Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption,
leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input,
but nonetheless, no previous security advisory for Addressable has cautioned against doing this.
Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-32740",
"description": "Addressable is an alternative implementation to the URI implementation that is part of Ruby\u0027s standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected. The vulnerability is patched in version 2.8.0. As a workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking.",
"id": "GSD-2021-32740",
"references": [
"https://www.suse.com/security/cve/CVE-2021-32740.html",
"https://access.redhat.com/errata/RHSA-2021:4702",
"https://access.redhat.com/errata/RHBA-2021:3393",
"https://advisories.mageia.org/CVE-2021-32740.html",
"https://security.archlinux.org/CVE-2021-32740"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "addressable",
"purl": "pkg:gem/addressable"
}
}
],
"aliases": [
"CVE-2021-32740",
"GHSA-jxhc-q857-3j6g"
],
"details": "Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption,\nleading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input,\nbut nonetheless, no previous security advisory for Addressable has cautioned against doing this.\nUsers of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.\n",
"id": "GSD-2021-32740",
"modified": "2021-07-12T00:00:00.000Z",
"published": "2021-07-12T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/advisories/GHSA-jxhc-q857-3j6g"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 7.5,
"type": "CVSS_V3"
}
],
"summary": "Regular Expression Denial of Service in Addressable templates"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32740",
"STATE": "PUBLIC",
"TITLE": "Regular Expression Denial of Service in Addressable templates"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "addressable",
"version": {
"version_data": [
{
"version_value": "\u003e 2.3.0, \u003c= 2.7.0"
}
]
}
}
]
},
"vendor_name": "sporkmonger"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Addressable is an alternative implementation to the URI implementation that is part of Ruby\u0027s standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected. The vulnerability is patched in version 2.8.0. As a workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/sporkmonger/addressable/security/advisories/GHSA-jxhc-q857-3j6g",
"refsource": "CONFIRM",
"url": "https://github.com/sporkmonger/addressable/security/advisories/GHSA-jxhc-q857-3j6g"
},
{
"name": "https://github.com/sporkmonger/addressable/commit/0d8a3127e35886ce9284810a7f2438bff6b43cbc",
"refsource": "MISC",
"url": "https://github.com/sporkmonger/addressable/commit/0d8a3127e35886ce9284810a7f2438bff6b43cbc"
},
{
"name": "FEDORA-2021-5d14763df8",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WYPVOOQU7UB277UUERJMCNQLRCXRCIQ5/"
},
{
"name": "FEDORA-2021-e9fc035565",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SDFQM2NHNAZ3NNUQZEJTYECYZYXV4UDS/"
}
]
},
"source": {
"advisory": "GHSA-jxhc-q857-3j6g",
"discovery": "UNKNOWN"
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2021-32740",
"cvss_v3": 7.5,
"date": "2021-07-12",
"description": "Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption,\nleading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input,\nbut nonetheless, no previous security advisory for Addressable has cautioned against doing this.\nUsers of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.\n",
"gem": "addressable",
"ghsa": "jxhc-q857-3j6g",
"patched_versions": [
"\u003e= 2.8.0"
],
"title": "Regular Expression Denial of Service in Addressable templates",
"unaffected_versions": [
"\u003c 2.3.0"
],
"url": "https://github.com/advisories/GHSA-jxhc-q857-3j6g"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=2.3.0 \u003c2.8.0",
"affected_versions": "All versions starting from 2.3.0 before 2.8.0",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2021-09-21",
"description": "Addressable is an alternative implementation to the URI implementation that is part of Ruby\u0027s standard library. An uncontrolled resource consumption vulnerability exists Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected. The vulnerability is patched As a workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking.",
"fixed_versions": [
"2.8.0"
],
"identifier": "CVE-2021-32740",
"identifiers": [
"CVE-2021-32740",
"GHSA-jxhc-q857-3j6g"
],
"not_impacted": "All versions before 2.3.0, all versions starting from 2.8.0",
"package_slug": "gem/addressable",
"pubdate": "2021-07-06",
"solution": "Upgrade to version 2.8.0 or above.",
"title": "Uncontrolled Resource Consumption",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-32740"
],
"uuid": "c6b7051f-d938-48b6-8a3a-ddf35c8f96f9"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:addressable_project:addressable:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndExcluding": "2.8.0",
"versionStartIncluding": "2.3.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32740"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Addressable is an alternative implementation to the URI implementation that is part of Ruby\u0027s standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected. The vulnerability is patched in version 2.8.0. As a workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/sporkmonger/addressable/security/advisories/GHSA-jxhc-q857-3j6g",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/sporkmonger/addressable/security/advisories/GHSA-jxhc-q857-3j6g"
},
{
"name": "https://github.com/sporkmonger/addressable/commit/0d8a3127e35886ce9284810a7f2438bff6b43cbc",
"refsource": "MISC",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/sporkmonger/addressable/commit/0d8a3127e35886ce9284810a7f2438bff6b43cbc"
},
{
"name": "FEDORA-2021-5d14763df8",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WYPVOOQU7UB277UUERJMCNQLRCXRCIQ5/"
},
{
"name": "FEDORA-2021-e9fc035565",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SDFQM2NHNAZ3NNUQZEJTYECYZYXV4UDS/"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2021-09-21T18:18Z",
"publishedDate": "2021-07-06T15:15Z"
}
}
}
Loading...