Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.
Weakness
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Date | Ruby-lang | * | 2.0.1 (excluding) |
| Date | Ruby-lang | 3.0.0 (including) | 3.0.2 (excluding) |
| Date | Ruby-lang | 3.1.0 (including) | 3.1.2 (excluding) |
| Date | Ruby-lang | 3.2.0 (including) | 3.2.0 (including) |
| Ruby | Ruby-lang | 2.6.0 (including) | 2.6.9 (excluding) |
| Ruby | Ruby-lang | 2.7.0 (including) | 2.7.5 (excluding) |
| Ruby | Ruby-lang | 3.0.0 (including) | 3.0.3 (excluding) |
| Red Hat Enterprise Linux 8 | RedHat | ruby:2.6-8050020211215144356.c5368500 | * |
| Red Hat Enterprise Linux 8 | RedHat | ruby:2.5-8060020220715152618.ad008a3a | * |
| Red Hat Enterprise Linux 8 | RedHat | ruby:2.7-8060020220728151401.ad008a3a | * |
| Red Hat Enterprise Linux 8 | RedHat | ruby:3.0-8060020220810162001.ad008a3a | * |
| Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions | RedHat | ruby:2.6-8010020220201152941.c27ad7f8 | * |
| Red Hat Enterprise Linux 8.2 Extended Update Support | RedHat | ruby:2.6-8020020220201131207.4cda2c84 | * |
| Red Hat Enterprise Linux 8.4 Extended Update Support | RedHat | ruby:2.6-8040020220131135901.522a0ee4 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-ruby26-ruby-0:2.6.9-120.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-ruby30-ruby-0:3.0.4-149.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-ruby27-ruby-0:2.7.6-131.el7 | * |
| Ruby2.3 | Ubuntu | esm-infra/xenial | * |
| Ruby2.3 | Ubuntu | trusty | * |
| Ruby2.3 | Ubuntu | xenial | * |
| Ruby2.5 | Ubuntu | bionic | * |
| Ruby2.5 | Ubuntu | esm-infra/bionic | * |
| Ruby2.5 | Ubuntu | trusty | * |
| Ruby2.5 | Ubuntu | xenial | * |
| Ruby2.7 | Ubuntu | esm-infra/focal | * |
| Ruby2.7 | Ubuntu | focal | * |
| Ruby2.7 | Ubuntu | hirsute | * |
| Ruby2.7 | Ubuntu | impish | * |
| Ruby2.7 | Ubuntu | trusty | * |
| Ruby2.7 | Ubuntu | xenial | * |
| Ruby3.0 | Ubuntu | devel | * |
| Ruby3.0 | Ubuntu | jammy | * |
| Ruby3.0 | Ubuntu | trusty | * |
| Ruby3.0 | Ubuntu | xenial | * |
Extended Description
Attackers can create crafted inputs that
intentionally cause the regular expression to use
excessive backtracking in a way that causes the CPU
consumption to spike.
Potential Mitigations
Related Attack Patterns
References
- https://hackerone.com/reports/1254844
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/
- https://security.gentoo.org/glsa/202401-27
- https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/
- https://hackerone.com/reports/1254844
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/
- https://security.gentoo.org/glsa/202401-27
- https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/