CVE-2013-4363
published 2013-10-17CVE-2013-4363: Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26…
PriorityP417medium4.3CVSS 2.0
AVNACMAuNCNINAP
EPSS
1.69%
74.2th percentile
Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.
Affected
53 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | rubygems | < rubygems 3.2.0~rc.1-1 (bookworm) | rubygems 3.2.0~rc.1-1 (bookworm) |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| rubygems | rubygems | <= 1.8.23 | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
| rubygems | rubygems | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
ghsa4.3MEDIUM
osv4.3MEDIUM
vendor_debian4.3LOW
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
rubygems: version regex algorithmic complexity vulnerability, incomplete CVE-2013-4287 fix
vendor_redhat·2013-09-15·CVSS 4.3
CVE-2013-4363 [MEDIUM] CWE-407 rubygems: version regex algorithmic complexity vulnerability, incomplete CVE-2013-4287 fix
rubygems: version regex algorithmic complexity vulnerability, incomplete CVE-2013-4287 fix
Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.
Statement: Not vulnerable. This issue did not affect the versions of rubygems as shipped with various Red Hat products.
Package: rubygems (CloudForms Management Engine 5) - Not affected
Package: ruby193-ruby (OpenShift Enterprise
Debian
CVE-2013-4363: rubygems - Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN i...
vendor_debian·2013·CVSS 4.3
CVE-2013-4363 [MEDIUM] CVE-2013-4363: rubygems - Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN i...
Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.
Scope: local
bookworm: resolved (fixed in 3.2.0~rc.1-1)
bullseye: resolved (fixed in 3.2.0~rc.1-1)
forky: resolved (fixed in 3.2.0~rc.1-1)
sid: resolved (fixed in 3.2.0~rc.1-1)
trixie: resolved (fixed in 3.2.0~rc.1-1)
GHSA
RubyGems Regular Expression Denial of Service
ghsa·2022-05-17·CVSS 4.3
CVE-2013-4363 [MEDIUM] RubyGems Regular Expression Denial of Service
RubyGems Regular Expression Denial of Service
Algorithmic complexity vulnerability in `Gem::Version::ANCHORED_VERSION_PATTERN` in `lib/rubygems/version.rb` in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.
OSV
RubyGems Regular Expression Denial of Service
osv·2022-05-17·CVSS 4.3
CVE-2013-4363 [MEDIUM] RubyGems Regular Expression Denial of Service
RubyGems Regular Expression Denial of Service
Algorithmic complexity vulnerability in `Gem::Version::ANCHORED_VERSION_PATTERN` in `lib/rubygems/version.rb` in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.
OSV
CVE-2013-4363: Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version
osv·2013-10-17·CVSS 4.3
CVE-2013-4363 [MEDIUM] CVE-2013-4363: Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version
Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.
No detection rules found.
No public exploits indexed.
http://blog.rubygems.org/2013/09/24/CVE-2013-4363.htmlhttp://www.openwall.com/lists/oss-security/2013/09/14/3http://www.openwall.com/lists/oss-security/2013/09/18/8http://www.openwall.com/lists/oss-security/2013/09/20/1https://puppet.com/security/cve/cve-2013-4363http://blog.rubygems.org/2013/09/24/CVE-2013-4363.htmlhttp://www.openwall.com/lists/oss-security/2013/09/14/3http://www.openwall.com/lists/oss-security/2013/09/18/8http://www.openwall.com/lists/oss-security/2013/09/20/1https://puppet.com/security/cve/cve-2013-4363
2013-10-17
Published