Vulnerability Details CVE-2021-41817
Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 45.4%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://hackerone.com/reports/1254844
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/
- https://security.gentoo.org/glsa/202401-27
- https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/
- https://hackerone.com/reports/1254844
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/
- https://security.gentoo.org/glsa/202401-27
- https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/
Products affected by CVE-2021-41817
-
cpe:2.3:a:opensuse:factory:-
-
cpe:2.3:a:redhat:software_collections:-
-
cpe:2.3:a:ruby-lang:date:0.0.1
-
cpe:2.3:a:ruby-lang:date:1.0.0
-
cpe:2.3:a:ruby-lang:date:2.0.0
-
cpe:2.3:a:ruby-lang:date:3.0.0
-
cpe:2.3:a:ruby-lang:date:3.0.1
-
cpe:2.3:a:ruby-lang:date:3.1.0
-
cpe:2.3:a:ruby-lang:date:3.1.1
-
cpe:2.3:a:ruby-lang:date:3.2.0
-
cpe:2.3:a:ruby-lang:ruby:2.6.0
-
cpe:2.3:a:ruby-lang:ruby:2.6.1
-
cpe:2.3:a:ruby-lang:ruby:2.6.2
-
cpe:2.3:a:ruby-lang:ruby:2.6.3
-
cpe:2.3:a:ruby-lang:ruby:2.6.4
-
cpe:2.3:a:ruby-lang:ruby:2.6.5
-
cpe:2.3:a:ruby-lang:ruby:2.6.6
-
cpe:2.3:a:ruby-lang:ruby:2.6.7
-
cpe:2.3:a:ruby-lang:ruby:2.6.8
-
cpe:2.3:a:ruby-lang:ruby:2.7.0
-
cpe:2.3:a:ruby-lang:ruby:2.7.1
-
cpe:2.3:a:ruby-lang:ruby:2.7.2
-
cpe:2.3:a:ruby-lang:ruby:2.7.3
-
cpe:2.3:a:ruby-lang:ruby:2.7.4
-
cpe:2.3:a:ruby-lang:ruby:3.0.0
-
cpe:2.3:a:ruby-lang:ruby:3.0.1
-
cpe:2.3:a:ruby-lang:ruby:3.0.2
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:debian:debian_linux:11.0
-
cpe:2.3:o:debian:debian_linux:9.0
-
cpe:2.3:o:fedoraproject:fedora:34
-
cpe:2.3:o:fedoraproject:fedora:35
-
cpe:2.3:o:opensuse:leap:15.2
-
cpe:2.3:o:redhat:enterprise_linux:7.0
-
cpe:2.3:o:redhat:enterprise_linux:8.0
-
cpe:2.3:o:suse:linux_enterprise:12.0
-
cpe:2.3:o:suse:linux_enterprise:15.0