gsd-2021-41817
Vulnerability from gsd
Modified
2021-11-15 00:00
Details
Date's parsing methods including `Date.parse` are using Regexps internally, some of
which are vulnerable against regular expression denial of service. Applications and
libraries that apply such methods to untrusted input may be affected.
The fix limits the input length up to 128 bytes by default instead of changing the
regexps. This is because Date gem uses many Regexps and it is possible that there are
still undiscovered vulnerable Regexps. For compatibility, it is allowed to remove the
limitation by explicitly passing `limit` keywords as `nil` like
`Date.parse(str, limit: nil)`, but note that it may take a long time to parse.
Please update the date gem to version 3.2.1, 3.1.2, 3.0.2, and 2.0.1, or later. You
can use `gem update date` to update it. If you are using bundler, please add
`gem "date", ">= 3.2.1"` to your `Gemfile`.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-41817",
"description": "Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.",
"id": "GSD-2021-41817",
"references": [
"https://www.suse.com/security/cve/CVE-2021-41817.html",
"https://www.debian.org/security/2022/dsa-5066",
"https://www.debian.org/security/2022/dsa-5067",
"https://access.redhat.com/errata/RHSA-2022:0708",
"https://access.redhat.com/errata/RHSA-2022:0582",
"https://access.redhat.com/errata/RHSA-2022:0581",
"https://access.redhat.com/errata/RHSA-2022:0544",
"https://access.redhat.com/errata/RHSA-2022:0543",
"https://ubuntu.com/security/CVE-2021-41817",
"https://advisories.mageia.org/CVE-2021-41817.html",
"https://security.archlinux.org/CVE-2021-41817",
"https://linux.oracle.com/cve/CVE-2021-41817.html",
"https://access.redhat.com/errata/RHSA-2022:5779",
"https://access.redhat.com/errata/RHSA-2022:6447",
"https://access.redhat.com/errata/RHSA-2022:6450",
"https://access.redhat.com/errata/RHSA-2022:6855",
"https://access.redhat.com/errata/RHSA-2022:6856"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "date",
"purl": "pkg:gem/date"
}
}
],
"aliases": [
"CVE-2021-41817",
"GHSA-qg54-694p-wgpp"
],
"details": "Date\u0027s parsing methods including `Date.parse` are using Regexps internally, some of\nwhich are vulnerable against regular expression denial of service. Applications and\nlibraries that apply such methods to untrusted input may be affected.\n\nThe fix limits the input length up to 128 bytes by default instead of changing the\nregexps. This is because Date gem uses many Regexps and it is possible that there are\nstill undiscovered vulnerable Regexps. For compatibility, it is allowed to remove the\nlimitation by explicitly passing `limit` keywords as `nil` like\n`Date.parse(str, limit: nil)`, but note that it may take a long time to parse.\n\nPlease update the date gem to version 3.2.1, 3.1.2, 3.0.2, and 2.0.1, or later. You\ncan use `gem update date` to update it. If you are using bundler, please add\n`gem \"date\", \"\u003e= 3.2.1\"` to your `Gemfile`.",
"id": "GSD-2021-41817",
"modified": "2021-11-15T00:00:00.000Z",
"published": "2021-11-15T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 7.5,
"type": "CVSS_V3"
}
],
"summary": "Regular Expression Denial of Service Vulnerability of Date Parsing Methods"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-41817",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/1254844",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1254844"
},
{
"name": "https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/",
"refsource": "CONFIRM",
"url": "https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/"
},
{
"name": "FEDORA-2022-82a9edac27",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/"
},
{
"name": "FEDORA-2022-8cf0124add",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/"
},
{
"name": "GLSA-202401-27",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202401-27"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2021-41817",
"cvss_v3": 7.5,
"date": "2021-11-15",
"description": "Date\u0027s parsing methods including `Date.parse` are using Regexps internally, some of\nwhich are vulnerable against regular expression denial of service. Applications and\nlibraries that apply such methods to untrusted input may be affected.\n\nThe fix limits the input length up to 128 bytes by default instead of changing the\nregexps. This is because Date gem uses many Regexps and it is possible that there are\nstill undiscovered vulnerable Regexps. For compatibility, it is allowed to remove the\nlimitation by explicitly passing `limit` keywords as `nil` like\n`Date.parse(str, limit: nil)`, but note that it may take a long time to parse.\n\nPlease update the date gem to version 3.2.1, 3.1.2, 3.0.2, and 2.0.1, or later. You\ncan use `gem update date` to update it. If you are using bundler, please add\n`gem \"date\", \"\u003e= 3.2.1\"` to your `Gemfile`.",
"gem": "date",
"ghsa": "qg54-694p-wgpp",
"patched_versions": [
"~\u003e 2.0.1",
"~\u003e 3.0.2",
"~\u003e 3.1.2",
"\u003e= 3.2.1"
],
"title": "Regular Expression Denial of Service Vulnerability of Date Parsing Methods",
"url": "https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c2.0.1||\u003e=3.0.0 \u003c3.0.2||\u003e=3.1.0 \u003c3.1.2||=3.2.0",
"affected_versions": "All versions before 2.0.1, all versions starting from 3.0.0 before 3.0.2, all versions starting from 3.1.0 before 3.1.2, version 3.2.0",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-1333",
"CWE-937"
],
"date": "2023-08-08",
"description": "Date includes a ReDoS vulnerability. ",
"fixed_versions": [
"2.0.1",
"3.0.2",
"3.1.2",
"3.2.1"
],
"identifier": "CVE-2021-41817",
"identifiers": [
"CVE-2021-41817",
"GHSA-qg54-694p-wgpp"
],
"not_impacted": "All versions starting from 2.0.1 before 3.0.0, all versions starting from 3.0.2 before 3.1.0, all versions starting from 3.1.2 before 3.2.0, all versions after 3.2.0",
"package_slug": "gem/date",
"pubdate": "2022-01-01",
"solution": "Upgrade to versions 2.0.1, 3.0.2, 3.1.2, 3.2.1 or above.",
"title": "Regular expression denial of service vulnerability (ReDoS) in date",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-41817",
"https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/",
"https://hackerone.com/reports/1254844",
"https://github.com/advisories/GHSA-qg54-694p-wgpp"
],
"uuid": "84a0ec8a-f939-4e52-b971-7c3688115bb9"
}
]
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ruby-lang:date:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "4F906DCD-2E20-4503-8D48-34A8DD858A62",
"versionEndExcluding": "2.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ruby-lang:date:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "553D1CED-8FDA-45B1-A1D9-866A915E581E",
"versionEndExcluding": "3.0.2",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ruby-lang:date:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "CD9C7701-F92C-476E-B833-C990410CDB55",
"versionEndExcluding": "3.1.2",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ruby-lang:date:3.2.0:*:*:*:*:ruby:*:*",
"matchCriteriaId": "243E15F0-8B4A-480E-8ECF-016D4D6611A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
"matchCriteriaId": "77EF3309-2FD3-469A-BAA2-D6425F259B27",
"versionEndExcluding": "2.6.9",
"versionStartIncluding": "2.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D7B53365-0B48-4408-A4A7-9A3744F89F07",
"versionEndExcluding": "2.7.5",
"versionStartIncluding": "2.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D4499575-33A0-47D7-A88B-0E6FD2340792",
"versionEndExcluding": "3.0.3",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*",
"matchCriteriaId": "749804DA-4B27-492A-9ABA-6BB562A6B3AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
"matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
"matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:suse:linux_enterprise:12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CBC8B78D-1131-4F21-919D-8AC79A410FB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:suse:linux_enterprise:15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1607628F-77A7-4C1F-98DF-0DC50AE8627D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opensuse:factory:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E29492E1-43D8-43BF-94E3-26A762A66FAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1."
},
{
"lang": "es",
"value": "Date.parse en date gem versiones hasta 3.2.0 para Ruby, permite ReDoS (expresi\u00f3n regular de denegaci\u00f3n de servicio) por medio de una cadena larga. Las versiones corregidas son 3.2.1, 3.1.2, 3.0.2 y 2.0.1.\n"
}
],
"id": "CVE-2021-41817",
"lastModified": "2024-01-24T05:15:11.520",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-01T05:15:08.197",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Permissions Required"
],
"url": "https://hackerone.com/reports/1254844"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/"
},
{
"source": "cve@mitre.org",
"url": "https://security.gentoo.org/glsa/202401-27"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
}
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.