CVE-2013-4287
published 2013-10-17CVE-2013-4287: Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x…
PriorityP420medium4.3CVSS 2.0
AVNACMAuNCNINAP
EPSS
3.34%
87.1th percentile
Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.
Affected
54 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | rubygems | < rubygems 3.2.0~rc.1-1 (bookworm) | rubygems 3.2.0~rc.1-1 (bookworm) |
| redhat | enterprise_linux | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| rubygems | rubygems | <= 1.8.23 | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
ghsa4.3MEDIUM
osv4.3MEDIUM
vendor_debian4.3LOW
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
RubyGems Regular Expression Denial of Service
ghsa·2022-05-17·CVSS 4.3
CVE-2013-4363 [MEDIUM] RubyGems Regular Expression Denial of Service
RubyGems Regular Expression Denial of Service
Algorithmic complexity vulnerability in `Gem::Version::ANCHORED_VERSION_PATTERN` in `lib/rubygems/version.rb` in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.
OSV
RubyGems Regular Expression Denial of Service
osv·2022-05-17·CVSS 4.3
CVE-2013-4363 [MEDIUM] RubyGems Regular Expression Denial of Service
RubyGems Regular Expression Denial of Service
Algorithmic complexity vulnerability in `Gem::Version::ANCHORED_VERSION_PATTERN` in `lib/rubygems/version.rb` in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.
OSV
RubyGems Regular Expression Denial of Service vulnerability
osv·2022-05-14
CVE-2013-4287 [MEDIUM] RubyGems Regular Expression Denial of Service vulnerability
RubyGems Regular Expression Denial of Service vulnerability
Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in `lib/rubygems/version.rb` in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.
GHSA
RubyGems Regular Expression Denial of Service vulnerability
ghsa·2022-05-14
CVE-2013-4287 [MEDIUM] CWE-400 RubyGems Regular Expression Denial of Service vulnerability
RubyGems Regular Expression Denial of Service vulnerability
Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in `lib/rubygems/version.rb` in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.
OSV
CVE-2013-4287: Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version
osv·2013-10-17·CVSS 4.3
CVE-2013-4287 [MEDIUM] CVE-2013-4287: Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version
Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.
OSV
CVE-2013-4363: Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version
osv·2013-10-17·CVSS 4.3
CVE-2013-4363 [MEDIUM] CVE-2013-4363: Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version
Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.
Red Hat
rubygems: version regex algorithmic complexity vulnerability, incomplete CVE-2013-4287 fix
vendor_redhat·2013-09-15·CVSS 4.3
CVE-2013-4363 [MEDIUM] CWE-407 rubygems: version regex algorithmic complexity vulnerability, incomplete CVE-2013-4287 fix
rubygems: version regex algorithmic complexity vulnerability, incomplete CVE-2013-4287 fix
Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.
Statement: Not vulnerable. This issue did not affect the versions of rubygems as shipped with various Red Hat products.
Package: rubygems (CloudForms Management Engine 5) - Not affected
Package: ruby193-ruby (OpenShift Enterprise
Red Hat
rubygems: version regex algorithmic complexity vulnerability
vendor_redhat·2013-09-09·CVSS 4.3
CVE-2013-4287 [MEDIUM] CWE-407 rubygems: version regex algorithmic complexity vulnerability
rubygems: version regex algorithmic complexity vulnerability
Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.
A denial of service vulnerability exists in the RubyGems versions 2.0.7 or older, such that when RubyGems validates versioning it performs a wrong regular expression causing resource consumption due to algorithmic complexity.
Statement: Red Hat OpenShift Enterprise 1.2 is now in Production 1 Phase of the support
and maintenance life
Debian
CVE-2013-4363: rubygems - Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN i...
vendor_debian·2013·CVSS 4.3
CVE-2013-4363 [MEDIUM] CVE-2013-4363: rubygems - Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN i...
Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.
Scope: local
bookworm: resolved (fixed in 3.2.0~rc.1-1)
bullseye: resolved (fixed in 3.2.0~rc.1-1)
forky: resolved (fixed in 3.2.0~rc.1-1)
sid: resolved (fixed in 3.2.0~rc.1-1)
trixie: resolved (fixed in 3.2.0~rc.1-1)
Debian
CVE-2013-4287: rubygems - Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rub...
vendor_debian·2013·CVSS 4.3
CVE-2013-4287 [MEDIUM] CVE-2013-4287: rubygems - Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rub...
Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.
Scope: local
bookworm: resolved (fixed in 3.2.0~rc.1-1)
bullseye: resolved (fixed in 3.2.0~rc.1-1)
forky: resolved (fixed in 3.2.0~rc.1-1)
sid: resolved (fixed in 3.2.0~rc.1-1)
trixie: resolved (fixed in 3.2.0~rc.1-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-4363 rubygems: version regex algorithmic complexity vulnerability, incomplete CVE-2013-4287 fix
bugzilla·2013-09-19·CVSS 4.3
CVE-2013-4363 [MEDIUM] CVE-2013-4363 rubygems: version regex algorithmic complexity vulnerability, incomplete CVE-2013-4287 fix
CVE-2013-4363 rubygems: version regex algorithmic complexity vulnerability, incomplete CVE-2013-4287 fix
RubyGems validates versions with a regular expression that is vulnerable to
denial of service due to a backtracking regular expression. For specially
crafted RubyGems versions attackers can cause denial of service through CPU
consumption.
An initial attempt to fix this (CVE-2013-4287) was made however the regex used
was found to be insufficient and still allowed for a denial of service to occur.
http://seclists.org/oss-sec/2013/q3/605
http://seclists.org/oss-sec/2013/q3/631
Discussion:
CVE-2013-4287 is tracked via bug 1002364.
CVE-2013-4363 is now fixed upstream in versions: 2.1.5, 2.0.10, 1.8.27 and 1.8.23.2
External References:
http://blog.rubygems.org/2013/09/24/CVE-2013-4363
Bugzilla
CVE-2013-4287 rubygems: version regex algorithmic complexity vulnerability
bugzilla·2013-08-29·CVSS 4.3
CVE-2013-4287 [MEDIUM] CVE-2013-4287 rubygems: version regex algorithmic complexity vulnerability
CVE-2013-4287 rubygems: version regex algorithmic complexity vulnerability
RubyGems validates versions with a regular expression that is vulnerable to
denial of service due to a backtracking regular expression. For specially
crafted RubyGems versions attackers can cause denial of service through CPU
consumption.
RubyGems versions 2.0.7 and older, 2.1.0.rc.1 and 2.1.0.rc.2 are vulnerable.
Ruby versions 1.9.0 through 2.0.0p247 are vulnerable as they contain embedded
versions of RubyGems.
It does not appear to be possible to exploit this vulnerability by installing a
gem for RubyGems 1.8.x or 2.0.x. Vulnerable uses of RubyGems API include
packaging a gem (through `gem build`, Gem::Package or Gem::PackageTask),
sending user input to Gem::Version.new, Gem::Version.correct? or use of the
Gem
http://blog.rubygems.org/2013/09/09/CVE-2013-4287.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1427.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1441.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1523.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1852.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0207.htmlhttp://secunia.com/advisories/55381http://www.openwall.com/lists/oss-security/2013/09/10/1https://puppet.com/security/cve/cve-2013-4287http://blog.rubygems.org/2013/09/09/CVE-2013-4287.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1427.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1441.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1523.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1852.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0207.htmlhttp://secunia.com/advisories/55381http://www.openwall.com/lists/oss-security/2013/09/10/1https://puppet.com/security/cve/cve-2013-4287
2013-10-17
Published