CVE-2013-4363

Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.

Affected Software

Name	Vendor	Start Version	End Version
Rubygems	Rubygems	*	1.8.23 (including)
Rubygems	Rubygems	1.8.0 (including)	1.8.0 (including)
Rubygems	Rubygems	1.8.1 (including)	1.8.1 (including)
Rubygems	Rubygems	1.8.2 (including)	1.8.2 (including)
Rubygems	Rubygems	1.8.3 (including)	1.8.3 (including)
Rubygems	Rubygems	1.8.4 (including)	1.8.4 (including)
Rubygems	Rubygems	1.8.5 (including)	1.8.5 (including)
Rubygems	Rubygems	1.8.6 (including)	1.8.6 (including)
Rubygems	Rubygems	1.8.7 (including)	1.8.7 (including)
Rubygems	Rubygems	1.8.8 (including)	1.8.8 (including)
Rubygems	Rubygems	1.8.9 (including)	1.8.9 (including)
Rubygems	Rubygems	1.8.10 (including)	1.8.10 (including)
Rubygems	Rubygems	1.8.11 (including)	1.8.11 (including)
Rubygems	Rubygems	1.8.12 (including)	1.8.12 (including)
Rubygems	Rubygems	1.8.13 (including)	1.8.13 (including)
Rubygems	Rubygems	1.8.14 (including)	1.8.14 (including)
Rubygems	Rubygems	1.8.15 (including)	1.8.15 (including)
Rubygems	Rubygems	1.8.16 (including)	1.8.16 (including)
Rubygems	Rubygems	1.8.17 (including)	1.8.17 (including)
Rubygems	Rubygems	1.8.18 (including)	1.8.18 (including)
Rubygems	Rubygems	1.8.19 (including)	1.8.19 (including)
Rubygems	Rubygems	1.8.20 (including)	1.8.20 (including)
Rubygems	Rubygems	1.8.21 (including)	1.8.21 (including)
Rubygems	Rubygems	1.8.22 (including)	1.8.22 (including)
Rubygems	Rubygems	1.8.24 (including)	1.8.24 (including)
Rubygems	Rubygems	1.8.25 (including)	1.8.25 (including)
Rubygems	Rubygems	1.8.26 (including)	1.8.26 (including)
Rubygems	Rubygems	2.0.0 (including)	2.0.0 (including)
Rubygems	Rubygems	2.0.0-preview2 (including)	2.0.0-preview2 (including)
Rubygems	Rubygems	2.0.0-preview2.1 (including)	2.0.0-preview2.1 (including)
Rubygems	Rubygems	2.0.0-preview2.2 (including)	2.0.0-preview2.2 (including)
Rubygems	Rubygems	2.0.0-rc1 (including)	2.0.0-rc1 (including)
Rubygems	Rubygems	2.0.0-rc2 (including)	2.0.0-rc2 (including)
Rubygems	Rubygems	2.0.1 (including)	2.0.1 (including)
Rubygems	Rubygems	2.0.2 (including)	2.0.2 (including)
Rubygems	Rubygems	2.0.3 (including)	2.0.3 (including)
Rubygems	Rubygems	2.0.4 (including)	2.0.4 (including)
Rubygems	Rubygems	2.0.5 (including)	2.0.5 (including)
Rubygems	Rubygems	2.0.6 (including)	2.0.6 (including)
Rubygems	Rubygems	2.0.7 (including)	2.0.7 (including)
Rubygems	Rubygems	2.0.8 (including)	2.0.8 (including)
Rubygems	Rubygems	2.0.9 (including)	2.0.9 (including)
Rubygems	Rubygems	2.1.0 (including)	2.1.0 (including)
Rubygems	Rubygems	2.1.0-rc1 (including)	2.1.0-rc1 (including)
Rubygems	Rubygems	2.1.0-rc2 (including)	2.1.0-rc2 (including)
Rubygems	Rubygems	2.1.1 (including)	2.1.1 (including)
Rubygems	Rubygems	2.1.2 (including)	2.1.2 (including)
Rubygems	Rubygems	2.1.3 (including)	2.1.3 (including)
Rubygems	Rubygems	2.1.4 (including)	2.1.4 (including)
Jruby	Ubuntu	devel	*
Jruby	Ubuntu	lucid	*
Jruby	Ubuntu	precise	*
Jruby	Ubuntu	quantal	*
Jruby	Ubuntu	raring	*
Jruby	Ubuntu	upstream	*
Ruby1.9.1	Ubuntu	devel	*
Ruby1.9.1	Ubuntu	lucid	*
Ruby1.9.1	Ubuntu	precise	*
Ruby1.9.1	Ubuntu	quantal	*
Ruby1.9.1	Ubuntu	raring	*
Ruby1.9.1	Ubuntu	upstream	*
Rubygems	Ubuntu	devel	*
Rubygems	Ubuntu	precise	*
Rubygems	Ubuntu	quantal	*
Rubygems	Ubuntu	raring	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2013-4363
CWE	https://cwe.mitre.org/data/definitions/310.html

Affected Software

References