CVE-2023-28756
published 2023-03-31CVE-2023-28756: A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters…
PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
2.45%
82.4th percentile
A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | jruby | < jruby 9.4.5.0+ds-1 (forky) | jruby 9.4.5.0+ds-1 (forky) |
| debian | ruby2.7 | < jruby 9.4.5.0+ds-1 (forky) | jruby 9.4.5.0+ds-1 (forky) |
| debian | ruby3.1 | < jruby 9.4.5.0+ds-1 (forky) | jruby 9.4.5.0+ds-1 (forky) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| jruby | jruby | >= 0 < 9.4.5.0+ds-1 | 9.4.5.0+ds-1 |
| jruby | jruby | >= 0 < 9.4.5.0+ds-1 | 9.4.5.0+ds-1 |
| ruby-lang | ruby | <= 2.7.7 | — |
| ruby-lang | time | — | — |
| ruby-lang | time | — | — |
| time_project | time | >= 0 < 0.1.1 | 0.1.1 |
| time_project | time | >= 0.2.0 < 0.2.2 | 0.2.2 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
osv5.3MEDIUM
vendor_ubuntu8.8HIGH
vendor_oracle7.5MEDIUM
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle PeopleSoft Risk Matrix: PeopleSoft CDA (Ruby) — CVE-2023-28756
vendor_oracle·2024-07-15·CVSS 5.3
CVE-2023-28756 [MEDIUM] Oracle Oracle PeopleSoft Risk Matrix: PeopleSoft CDA (Ruby) — CVE-2023-28756
Oracle Oracle PeopleSoft Risk Matrix: PeopleSoft CDA (Ruby) vulnerability
CVE: CVE-2023-28756
CVSS: 5.3
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2024 (JUL 2024)
Oracle
Oracle Oracle JD Edwards Risk Matrix: One-Click Provisioning (Ruby) — CVE-2023-28756
vendor_oracle·2024-01-15·CVSS 7.5
CVE-2023-28756 [MEDIUM] Oracle Oracle JD Edwards Risk Matrix: One-Click Provisioning (Ruby) — CVE-2023-28756
Oracle Oracle JD Edwards Risk Matrix: One-Click Provisioning (Ruby) vulnerability
CVE: CVE-2023-28756
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2024 (JAN 2024)
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2023-06-21·CVSS 8.8
CVE-2023-28755 [HIGH] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
Hiroshi Tokumaru discovered that Ruby did not properly handle certain
user input for applications the generate HTTP responses using cgi gem.
An attacker could possibly use this issue to maliciously modify the
response a user would receive from a vulnerable application. This issue
only affected Ubuntu 22.10. (CVE-2021-33621)
It was discovered that Ruby incorrectly handled certain regular expressions.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2023-28755, CVE-2023-28756)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2023-05-18·CVSS 5.3
CVE-2023-28756 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that Ruby incorrectly handled certain regular expressions.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2023-28755)
It was discovered that Ruby incorrectly handled certain regular expressions.
An attacker could possily use this issue to cause a denial of service.
This issue only affected Ubuntu 16.04 ESM. (CVE-2023-28756)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2023-05-04·CVSS 5.3
CVE-2023-28755 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that Ruby incorrectly handled certain regular expressions.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2023-28755)
It was discovered that Ruby incorrectly handled certain regular expressions.
An attacker could possibly use this issue to cause a denial of service.
This issue is being addressed only for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2023-28756)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
ruby: ReDoS vulnerability in Time
vendor_redhat·2023-03-21·CVSS 5.3
CVE-2023-28756 [MEDIUM] CWE-20 ruby: ReDoS vulnerability in Time
ruby: ReDoS vulnerability in Time
A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.
A flaw was found in the Time gem and Time library of Ruby. The Time parser mishandles invalid strings with specific characters and causes an increase in execution time for parsing strings to Time objects. This issue may result in a Regular expression denial of service (ReDoS).
Package: ruby (Red Hat Enterprise Linux 6) - Out of support scope
Package: ruby (Red Hat Enterprise Linux 7) - Will not fix
Package: ruby:2.6/ruby (Red Hat Enterprise Linux 8) - Will not fix
Package: rh-rub
Debian
CVE-2023-28756: jruby - A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through...
vendor_debian·2023·CVSS 5.3
CVE-2023-28756 [MEDIUM] CVE-2023-28756: jruby - A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through...
A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.
Scope: local
bookworm: open
forky: resolved (fixed in 9.4.5.0+ds-1)
sid: resolved (fixed in 9.4.5.0+ds-1)
trixie: resolved (fixed in 9.4.5.0+ds-1)
OSV
ruby2.3, ruby2.5, ruby2.7 vulnerabilities
osv·2023-05-18·CVSS 5.3
CVE-2023-28755 [MEDIUM] ruby2.3, ruby2.5, ruby2.7 vulnerabilities
ruby2.3, ruby2.5, ruby2.7 vulnerabilities
It was discovered that Ruby incorrectly handled certain regular expressions.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2023-28755)
It was discovered that Ruby incorrectly handled certain regular expressions.
An attacker could possily use this issue to cause a denial of service.
This issue only affected Ubuntu 16.04 ESM. (CVE-2023-28756)
OSV
ruby2.3, ruby2.5, ruby2.7 vulnerabilities
osv·2023-05-04·CVSS 5.3
CVE-2023-28755 [MEDIUM] ruby2.3, ruby2.5, ruby2.7 vulnerabilities
ruby2.3, ruby2.5, ruby2.7 vulnerabilities
It was discovered that Ruby incorrectly handled certain regular expressions.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2023-28755)
It was discovered that Ruby incorrectly handled certain regular expressions.
An attacker could possibly use this issue to cause a denial of service.
This issue is being addressed only for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2023-28756)
OSV
CVE-2023-28756: A ReDoS issue was discovered in the Time component through 0
osv·2023-03-31·CVSS 5.3
CVE-2023-28756 [MEDIUM] CVE-2023-28756: A ReDoS issue was discovered in the Time component through 0
A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.
OSV
Ruby Time component ReDoS issue
osv·2023-03-31
CVE-2023-28756 [HIGH] Ruby Time component ReDoS issue
Ruby Time component ReDoS issue
A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.
GHSA
Ruby Time component ReDoS issue
ghsa·2023-03-31
CVE-2023-28756 [HIGH] CWE-1333 Ruby Time component ReDoS issue
Ruby Time component ReDoS issue
A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.
No detection rules found.
No public exploits indexed.
HackerOne
ReDoS( Ruby, Time)
hackerone·2023-04-26·CVSS 5.3
CVE-2023-28756 [MEDIUM] ReDoS( Ruby, Time)
ReDoS( Ruby, Time)
I reported at https://hackerone.com/reports/1485501
https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/
> The Time parser mishandles invalid strings that have specific characters. It causes an increase in execution time for parsing strings to Time objects.
> A ReDoS issue was discovered in the Time gem 0.1.0 and 0.2.1 and Time library of Ruby 2.7.7.
## Impact
ReDoS occurs when `Time.rfc2822` accepts user input.
In `Rack::ConditionalGet`, the header value is parsed by `Time.rfc2822`, it is possible to attack from the request.
Rails uses `::Rack::ConditionalGet` by default, it can be attacked by a request from the client.
CVE-2023-28756: ReDoS vulnerability in Time
We have released the time gem version 0.1.1 and 0.2.2 that has a security fix f
Bugzilla
CVE-2023-29469 libxml2: Hashing of empty dict strings isn't deterministic
bugzilla·2023-04-11·CVSS 5.3
CVE-2023-29469 [MEDIUM] CVE-2023-29469 libxml2: Hashing of empty dict strings isn't deterministic
CVE-2023-29469 libxml2: Hashing of empty dict strings isn't deterministic
When hashing empty strings which aren't null-terminated, xmlDictComputeFastKey could produce inconsistent results. This could lead to various logic or memory errors, including double frees.
References:
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4
https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64
Discussion:
Created libxml2 tracking bugs for this issue:
Affects: fedora-all [bug 2185985]
---
Created mingw-libxml2 tracking bugs for this issue:
Affects: fedora-all [bug 2185987]
Created pcem tracking bugs for this issue:
Affects: fedora-all [bug 2185988]
Created qt5-qtwebengine tracking bugs for this issue:
Affects: epel-all [bug 2185986]
Affects: fedora-a
Bugzilla
CVE-2023-28756 ruby: ReDoS vulnerability in Time
bugzilla·2023-04-03·CVSS 5.3
CVE-2023-28756 [MEDIUM] CVE-2023-28756 ruby: ReDoS vulnerability in Time
CVE-2023-28756 ruby: ReDoS vulnerability in Time
The Time parser mishandles invalid strings that have specific characters. It causes an increase in execution time for parsing strings to Time objects.
A ReDoS issue was discovered in the Time gem 0.1.0 and 0.2.1 and Time library of Ruby 2.7.7.
Discussion:
This issue has been addressed in the following products:
Red Hat Software Collections for Red Hat Enterprise Linux 7
Via RHSA-2023:3291 https://access.redhat.com/errata/RHSA-2023:3291
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2023:3821 https://access.redhat.com/errata/RHSA-2023:3821
---
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cv
https://github.com/ruby/time/releases/https://lists.debian.org/debian-lts-announce/2023/04/msg00033.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/https://security.gentoo.org/glsa/202401-27https://security.netapp.com/advisory/ntap-20230526-0004/https://www.ruby-lang.org/en/downloads/releases/https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/https://github.com/ruby/time/releases/https://lists.debian.org/debian-lts-announce/2023/04/msg00033.htmlhttps://lists.debian.org/debian-lts-announce/2024/09/msg00000.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/https://security.gentoo.org/glsa/202401-27https://security.netapp.com/advisory/ntap-20230526-0004/https://www.ruby-lang.org/en/downloads/releases/https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/
2023-03-31
Published