ReDoS Vulnerability in Time Component Affects Ruby Software
CVE-2023-28756

5.3MEDIUM

Key Information:

Vendor: Ruby-lang
Status: Time; Ruby
Vendor: CVE Published:; 31 March 2023

What is CVE-2023-28756?

A ReDoS vulnerability has been identified in the Time component of Ruby through version 0.2.1. This vulnerability occurs due to the Time parser's improper handling of invalid URLs containing certain characters, resulting in substantial delays when parsing these strings into Time objects. Users are encouraged to update to fixed versions 0.1.1 and 0.2.2 to mitigate the risk associated with this issue.

References

https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-r...

https://www.ruby-lang.org/en/downloads/releases/

https://github.com/ruby/time/releases/

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 31, 2023
Vulnerability Reserved
Mar 23, 2023

Ruby-lang

What is CVE-2023-28756?

References

CVSS V3.1

Timeline