5.3 CVE-2023-28756

A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.
https://nvd.nist.gov/vuln/detail/CVE-2023-28756

References

CONFIRM

https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/ Vendor Advisory
https://security.netapp.com/advisory/ntap-20230526-0004/ Third Party Advisory

FEDORA

FEDORA-2023-6b924d3b75 Mailing List Third Party Advisory
FEDORA-2023-a7be7ea1aa Mailing List Third Party Advisory
FEDORA-2023-f58d72c700 Mailing List Third Party Advisory

MISC

https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/ Release Notes
https://github.com/ruby/time/releases/ Release Notes
https://www.ruby-lang.org/en/downloads/releases/ Release Notes

_MLIST

[debian-lts-announce] 20230430 [SECURITY] [DLA 3408-1] jruby security update Mailing List Third Party Advisory

CPE

ProHacktive is continuously improving the CVE entries in Nist to avoid false positives. This CVE has been modified and you will find an in front of each modified CPE.

cpe	start	end
Configuration 1
cpe:2.3:a:ruby-lang:time:0.2.1:::::ruby::
cpe:2.3:a:ruby-lang:time:0.1.0:::::ruby::
cpe:2.3:a:ruby-lang:ruby::::::::		<= 2.7.7
Configuration 2
cpe:2.3:o:debian:debian_linux:10.0:::::::*
cpe:2.3:o:fedoraproject:fedora:36:::::::*
cpe:2.3:o:fedoraproject:fedora:37:::::::*
cpe:2.3:o:fedoraproject:fedora:38:::::::*

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

Other (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
492	Regular Expression Exponential Blowup An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.

MITRE

Sherlock® flash

Take a picture of your computer network in a few clicks !

The Sherlock® flash audit solution allows you to perform an audit to strengthen the security of your IT assets. Vulnerability analysis of your physical and virtual equipment. Patch planning by priority level and time available. Detailed and intuitive reporting.

Discover this offer

Sherlock® flash: 1st instant cybersecurity audit solution

cpe	start	end
Configuration 1
cpe:2.3:a:ruby-lang:time:0.2.1:::::ruby::
cpe:2.3:a:ruby-lang:time:0.1.0:::::ruby::
cpe:2.3:a:ruby-lang:ruby::::::::		<= 2.7.7
Configuration 2
cpe:2.3:o:debian:debian_linux:10.0:::::::*
cpe:2.3:o:fedoraproject:fedora:36:::::::*
cpe:2.3:o:fedoraproject:fedora:37:::::::*
cpe:2.3:o:fedoraproject:fedora:38:::::::*