CVE Vulnerabilities

CVE-2023-28756

Inefficient Regular Expression Complexity

Published: Mar 31, 2023 | Modified: Nov 04, 2025
CVSS 3.x
5.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 2.x
RedHat/V2
RedHat/V3
5.3 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

Weakness

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

Affected Software

NameVendorStart VersionEnd Version
RubyRuby-lang*2.7.7 (including)
TimeRuby-lang0.1.0 (including)0.1.0 (including)
TimeRuby-lang0.2.1 (including)0.2.1 (including)
Red Hat Enterprise Linux 8RedHatruby:2.7-8080020230427102918.63b34585*
Red Hat Enterprise Linux 8RedHatruby:2.5-8090020230627084142.b46abd14*
Red Hat Enterprise Linux 8RedHatruby:3.1-8090020240311122605.a75119d5*
Red Hat Enterprise Linux 8RedHatruby:3.0-8100020240522072634.489197e6*
Red Hat Enterprise Linux 9RedHatruby:3.1-9030020240320163942.9*
Red Hat Enterprise Linux 9RedHatruby-0:3.0.7-162.el9_4*
Red Hat Software Collections for Red Hat Enterprise Linux 7RedHatrh-ruby27-ruby-0:2.7.8-132.el7*
Red Hat Hardened ImagesRedHatruby3-3-main-3.3.10-23.1.hum1*
Red Hat Hardened ImagesRedHatruby3-4-main-3.4.8-31.1.hum1*
Red Hat Hardened ImagesRedHatruby4-0-main-4.0.0-33.3.hum1*
JrubyUbuntubionic*
JrubyUbuntuesm-apps/xenial*
JrubyUbuntufocal*
JrubyUbuntulunar*
JrubyUbuntumantic*
JrubyUbuntuoracular*
JrubyUbuntuplucky*
JrubyUbuntutrusty*
JrubyUbuntutrusty/esm*
JrubyUbuntuxenial*
Ruby1.9.1Ubuntutrusty*
Ruby2.0Ubuntutrusty*
Ruby2.3Ubuntuesm-infra-legacy/xenial*
Ruby2.3Ubuntuesm-infra/xenial*
Ruby2.3Ubuntuxenial*
Ruby2.5Ubuntubionic*
Ruby2.5Ubuntuesm-infra/bionic*
Ruby2.5Ubuntutrusty*
Ruby2.5Ubuntuxenial*
Ruby2.7Ubuntuesm-infra/focal*
Ruby2.7Ubuntufocal*
Ruby2.7Ubuntutrusty*
Ruby2.7Ubuntuxenial*
Ruby3.0Ubuntujammy*
Ruby3.0Ubuntukinetic*
Ruby3.1Ubuntukinetic*
Ruby3.1Ubuntulunar*
Ruby3.1Ubuntumantic*
Ruby3.1Ubuntutrusty*
Ruby3.1Ubuntuxenial*
RubygemsUbuntutrusty*
RubygemsUbuntuxenial*

Potential Mitigations

References