CVE-2024-43380
published 2024-08-19CVE-2024-43380: fugit contains time tools for flor and the floraison group. The fugit "natural" parser, that turns "every wednesday at 5pm" into "0 17 * * 3", accepted any…
PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.79%
51.7th percentile
fugit contains time tools for flor and the floraison group. The fugit "natural" parser, that turns "every wednesday at 5pm" into "0 17 * * 3", accepted any length of input and went on attempting to parse it, not returning promptly, as expected. The parse call could hold the thread with no end in sight. Fugit dependents that do not check (user) input length for plausibility are impacted. A fix was released in fugit 1.11.1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-fugit | — | — |
| floraison | fugit | < 1.11.1 | 1.11.1 |
| floraison | fugit | >= 0 < 1.11.1 | 1.11.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-43380: fugit contains time tools for flor and the floraison group
osv·2024-08-19·CVSS 7.5
CVE-2024-43380 [HIGH] CVE-2024-43380: fugit contains time tools for flor and the floraison group
fugit contains time tools for flor and the floraison group. The fugit "natural" parser, that turns "every wednesday at 5pm" into "0 17 * * 3", accepted any length of input and went on attempting to parse it, not returning promptly, as expected. The parse call could hold the thread with no end in sight. Fugit dependents that do not check (user) input length for plausibility are impacted. A fix was released in fugit 1.11.1.
GHSA
fugit parse and parse_nat stall on lengthy input
ghsa·2024-08-19
CVE-2024-43380 [MEDIUM] CWE-400 fugit parse and parse_nat stall on lengthy input
fugit parse and parse_nat stall on lengthy input
### Impact
The fugit "natural" parser, that turns "every wednesday at 5pm" into "0 17 * * 3", accepted any length of input and went on attempting to parse it, not returning promptly, as expected. The parse call could hold the thread with no end in sight.
Fugit dependents that do not check (user) input length for plausability are impacted.
### Patches
Problem was reported in #104 and the fix was released in [fugit 1.11.1](https://rubygems.org/gems/fugit/versions/1.11.1)
### Workarounds
By making sure that `Fugit.parse(s)`, `Fugit.do_parse(s)`, `Fugit.parse_nat(s)`, `Fugit.do_parse_nat(s)`, `Fugit::Nat.parse(s)`, and `Fugit::Nat.do_parse(s)` are not fed strings too long. 1000 chars feels ok, while 10_000 chars makes it stall.
In fewer
OSV
fugit parse and parse_nat stall on lengthy input
osv·2024-08-19
CVE-2024-43380 [MEDIUM] fugit parse and parse_nat stall on lengthy input
fugit parse and parse_nat stall on lengthy input
### Impact
The fugit "natural" parser, that turns "every wednesday at 5pm" into "0 17 * * 3", accepted any length of input and went on attempting to parse it, not returning promptly, as expected. The parse call could hold the thread with no end in sight.
Fugit dependents that do not check (user) input length for plausability are impacted.
### Patches
Problem was reported in #104 and the fix was released in [fugit 1.11.1](https://rubygems.org/gems/fugit/versions/1.11.1)
### Workarounds
By making sure that `Fugit.parse(s)`, `Fugit.do_parse(s)`, `Fugit.parse_nat(s)`, `Fugit.do_parse_nat(s)`, `Fugit::Nat.parse(s)`, and `Fugit::Nat.do_parse(s)` are not fed strings too long. 1000 chars feels ok, while 10_000 chars makes it stall.
In fewer
Red Hat
fugit: Improper input validation in "natural" parser may lead to DoS
vendor_redhat·2024-08-19·CVSS 5.3
CVE-2024-43380 [MEDIUM] CWE-400 fugit: Improper input validation in "natural" parser may lead to DoS
fugit: Improper input validation in "natural" parser may lead to DoS
fugit contains time tools for flor and the floraison group. The fugit "natural" parser, that turns "every wednesday at 5pm" into "0 17 * * 3", accepted any length of input and went on attempting to parse it, not returning promptly, as expected. The parse call could hold the thread with no end in sight. Fugit dependents that do not check (user) input length for plausibility are impacted. A fix was released in fugit 1.11.1.
A flaw was found in fugit's parser. Due to a lack of user input validation, the natural parser may accept any length of input and will attempt to parse it. The parse can create a thread which will never return, causing high CPU usage, which may lead to a Denial of Service.
Package: 3scale-amp-system-c
Debian
CVE-2024-43380: ruby-fugit - fugit contains time tools for flor and the floraison group. The fugit "natural" ...
vendor_debian·2024·CVSS 5.3
CVE-2024-43380 [MEDIUM] CVE-2024-43380: ruby-fugit - fugit contains time tools for flor and the floraison group. The fugit "natural" ...
fugit contains time tools for flor and the floraison group. The fugit "natural" parser, that turns "every wednesday at 5pm" into "0 17 * * 3", accepted any length of input and went on attempting to parse it, not returning promptly, as expected. The parse call could hold the thread with no end in sight. Fugit dependents that do not check (user) input length for plausibility are impacted. A fix was released in fugit 1.11.1.
Scope: local
bookworm: open
bullseye: open
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-08-19
Published