CVE-2021-41817

Description

Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.

Affected packages (6)

• Alpine/rubyfrom 0, < 2.7.5-r0
• Bitnami/ruby>= 2.6.0, < 2.6.9, >= 2.7.0, < 2.7.5, >= 3.0.0, < 3.0.3
• Bitnami/ruby-min>= 2.6.0, < 2.6.9, >= 2.7.0, < 2.7.5, >= 3.0.0, < 3.0.3
• Debian/ruby2.3from 0, < 2.3.3-1+deb9u11
• Debian/ruby2.7from 0, < 2.7.4-1+deb11u1
• RubyGems/date>= 3.2.0, < 3.2.1

CVSS scores

References (16)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-41817
• ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2021-41817
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-41817
• PATCHhttps://github.com/ruby/date
• WEBhttps://github.com/ruby/date/commit/3959accef8da5c128f8a8e2fd54e932a4fb253b0
• WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/date/CVE-2021-41817.yml
• WEBhttps://hackerone.com/reports/1254844
• WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN
• WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/
• WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF
• WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/
• WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN
• WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF
• WEBhttps://security.gentoo.org/glsa/202401-27
• WEBhttps://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817
• WEBhttps://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/