CVE-2021-32740Uncontrolled Resource Consumption in Project Addressable

CWE-400Uncontrolled Resource ConsumptionCWE-1333Regex Denial of Service7 documents6 sources
Severity
7.5HIGHNVD
EPSS
0.9%
top 24.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Addressable Project AddressableDebian Ruby-addressableSporkmonger Addressable+2 more
Timeline
PublishedJul 6
Latest updateJul 13

Description

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonethele

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

debiandebian/ruby-addressable< ruby-addressable 2.7.0-2 (bookworm)
NVDaddressable_project/addressable2.3.02.8.0
RubyGemsaddressable_project/addressable2.3.02.8.0
CVEListV5sporkmonger/addressable> 2.3.0, <= 2.7.0

Also affects: Fedora 33, 34

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
Regular Expression Denial of Service in Addressable templates2021-07-12
GHSA
Regular Expression Denial of Service in Addressable templates2021-07-12
OSV
CVE-2021-32740: Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library2021-07-06

📋Vendor Advisories

3
Microsoft
Regular Expression Denial of Service in Addressable templates2021-07-13
Red Hat
rubygem-addressable: ReDoS in templates2021-07-03
Debian
CVE-2021-32740: ruby-addressable - Addressable is an alternative implementation to the URI implementation that is p...2021
CVE-2021-32740 — Uncontrolled Resource Consumption | cvebase