CVE-2023-28756
Published: 31 March 2023
A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.
Priority
Status
Package | Release | Status |
---|---|---|
ruby3.0 Launchpad, Ubuntu, Debian |
trusty |
Does not exist
|
xenial |
Does not exist
|
|
bionic |
Does not exist
|
|
focal |
Does not exist
|
|
lunar |
Does not exist
|
|
upstream |
Needs triage
|
|
kinetic |
Released
(3.0.4-7ubuntu0.2)
|
|
jammy |
Released
(3.0.2-7ubuntu2.4)
|
|
mantic |
Does not exist
|
|
jruby Launchpad, Ubuntu, Debian |
xenial |
Needs triage
|
bionic |
Needs triage
|
|
focal |
Needs triage
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
trusty |
Needs triage
|
|
upstream |
Needs triage
|
|
lunar |
Needs triage
|
|
mantic |
Needs triage
|
|
ruby2.5 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Needs triage
|
|
xenial |
Ignored
(end of standard support)
|
|
lunar |
Does not exist
|
|
bionic |
Released
(2.5.1-1ubuntu1.16)
|
|
mantic |
Does not exist
|
|
ruby2.7 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Needs triage
|
|
xenial |
Ignored
(end of standard support)
|
|
lunar |
Does not exist
|
|
focal |
Released
(2.7.0-5ubuntu1.11)
|
|
mantic |
Does not exist
|
|
ruby3.1 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Released
(3.1.2-2ubuntu0.22.10.1)
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Needs triage
|
|
xenial |
Ignored
(end of standard support)
|
|
lunar |
Released
(3.1.2-6ubuntu0.23.04.1)
|
|
mantic |
Released
(3.1.2-7ubuntu1)
|
|
ruby1.9.1 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
mantic |
Does not exist
|
|
ruby2.0 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
mantic |
Does not exist
|
|
ruby2.3 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Released
(2.3.1-2~ubuntu16.04.16+esm7)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
mantic |
Does not exist
|
|
rubygems Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Not vulnerable
(code not present)
|
|
kinetic |
Not vulnerable
(code not present)
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Needs triage
|
|
xenial |
Ignored
(end of standard support)
|
|
lunar |
Not vulnerable
(code not present)
|
|
mantic |
Not vulnerable
(code not present)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.3 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | Low |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28756
- https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/
- https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/
- https://github.com/ruby/time/releases/
- https://www.ruby-lang.org/en/downloads/releases/
- https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e (3.1)
- https://github.com/ruby/time/commit/3dce6f73d14f5fad6d9b302393fd02df48797b11 (0.2)
- https://github.com/ruby/time/commit/b57db51f577875d3e896dcd2ef1dcaf97f23e943 (0.2)
- https://ubuntu.com/security/notices/USN-6055-1
- https://ubuntu.com/security/notices/USN-6055-2
- https://ubuntu.com/security/notices/USN-6087-1
- https://ubuntu.com/security/notices/USN-6181-1
- NVD
- Launchpad
- Debian