CVE-2023-28756 — Regex Denial of Service in Project Time

CWE-1333 — Regex Denial of Service CWE-20 — Improper Input Validation16 documents10 sources

Severity

5.3MEDIUMNVD

EPSS

0.9%

top 24.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jruby Time Project Time Ruby-lang Ruby +3 more

Timeline

PublishedMar 31

Latest updateJul 15

Description

A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶NVDruby-lang/time0.1.0, 0.2.1+1

▶RubyGemstime_project/time0.2.0 — 0.2.2+1

▶Debianjruby/jruby< 9.4.5.0+ds-1+1

▶NVDruby-lang/ruby2.7.7

Also affects: Debian Linux 10.0, Fedora 36, 37, 38

🔴Vulnerability Details

OSV

ruby2.3, ruby2.5, ruby2.7 vulnerabilities↗2023-05-18

▶

OSV

ruby2.3, ruby2.5, ruby2.7 vulnerabilities↗2023-05-04

▶

OSV

CVE-2023-28756: A ReDoS issue was discovered in the Time component through 0↗2023-03-31

▶

CVEList

CVE-2023-28756: A ReDoS issue was discovered in the Time component through 0↗2023-03-31

▶

OSV

Ruby Time component ReDoS issue↗2023-03-31

▶

📋Vendor Advisories

Oracle

Oracle Oracle PeopleSoft Risk Matrix: PeopleSoft CDA (Ruby) — CVE-2023-28756↗2024-07-15

▶

Oracle

Oracle Oracle JD Edwards Risk Matrix: One-Click Provisioning (Ruby) — CVE-2023-28756↗2024-01-15

▶

Ubuntu

Ruby vulnerabilities↗2023-06-21

▶

Ubuntu

Ruby vulnerabilities↗2023-05-18

▶

Ubuntu

Ruby vulnerabilities↗2023-05-04

▶

💬Community

HackerOne

ReDoS( Ruby, Time)↗2023-04-26

▶

Bugzilla

CVE-2023-28756 ruby: ReDoS vulnerability in Time↗2023-04-03

▶