CVE-2021-41817: Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2…

high7.5CVSS 3.1

AVNACLPRNUINSUCNINAH

Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.

Affected

23 ranges

Vendor	Product	Version range	Fixed in
date_project	date	>= 0 < 2.0.1	2.0.1
date_project	date	>= 3.0.0 < 3.0.2	3.0.2
date_project	date	>= 3.1.0 < 3.1.2	3.1.2
date_project	date	>= 3.2.0 < 3.2.1	3.2.1
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	ruby2.7	< ruby2.7 2.7.4-1+deb11u1 (bullseye)	ruby2.7 2.7.4-1+deb11u1 (bullseye)
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
msrc	cbl2_ruby_3.1.2-2_on_cbl_mariner_2.0	—	—
opensuse	leap	—	—
redhat	enterprise_linux	—	—
redhat	enterprise_linux	—	—
ruby-lang	date	< 2.0.1	2.0.1
ruby-lang	date	—	—
ruby-lang	date	>= 3.0.0 < 3.0.2	3.0.2
ruby-lang	date	>= 3.1.0 < 3.1.2	3.1.2
ruby-lang	ruby	>= 2.6.0 < 2.6.9	2.6.9
ruby-lang	ruby	>= 2.7.0 < 2.7.5	2.7.5
ruby-lang	ruby	>= 3.0.0 < 3.0.3	3.0.3
suse	linux_enterprise	—	—
suse	linux_enterprise	—	—

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

osv9.8CRITICAL