CVE-2023-28756

A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

Weakness

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Affected Software

Extended Description

      Attackers can create crafted inputs that
      intentionally cause the regular expression to use
      excessive backtracking in a way that causes the CPU
      consumption to spike.

Potential Mitigations

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/492.html

References

• https://github.com/ruby/time/releases/
• https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/
• https://security.gentoo.org/glsa/202401-27
• https://security.netapp.com/advisory/ntap-20230526-0004/
• https://www.ruby-lang.org/en/downloads/releases/
• https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/
• https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/