ReDoS Vulnerability in Ruby Date Gem Affects Ruby Language
CVE-2021-41817

7.5HIGH

Key Information:

Vendor: Ruby-lang
Status: Date; Ruby
Vendor: CVE Published:; 1 January 2022

What is CVE-2021-41817?

The date gem in Ruby, up to version 3.2.0, is susceptible to a regular expression denial of service (ReDoS) attack. This vulnerability allows an attacker to cause excessive resource consumption by triggering a slow regular expression match against specially crafted input. This can lead to significant performance degradation, potentially making the affected system unresponsive. Users are advised to upgrade to the fixed versions (3.2.1, 3.1.2, 3.0.2, or 2.0.1) to mitigate this risk.

References

https://hackerone.com/reports/1254844

https://www.ruby-lang.org/en/news/2021/11/15/date-parsing...

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 1, 2022
Vulnerability Reserved
Sep 29, 2021

Ruby-lang

What is CVE-2021-41817?

References

CVSS V3.1

Timeline