[RUBYSEC:DATE-2021-41817] Regular Expression Denial of Service Vulnerability of Date Parsing Methods
Date's parsing methods including Date.parse
are using Regexps internally, some of
which are vulnerable against regular expression denial of service. Applications and
libraries that apply such methods to untrusted input may be affected.
The fix limits the input length up to 128 bytes by default instead of changing the
regexps. This is because Date gem uses many Regexps and it is possible that there are
still undiscovered vulnerable Regexps. For compatibility, it is allowed to remove the
limitation by explicitly passing limit
keywords as nil
like
Date.parse(str, limit: nil)
, but note that it may take a long time to parse.
Please update the date gem to version 3.2.1, 3.1.2, 3.0.2, and 2.0.1, or later. You
can use gem update date
to update it. If you are using bundler, please add
gem "date", ">= 3.2.1"
to your Gemfile
.
Package | Affected Version |
---|---|
pkg:gem/date | < 3.2.1 |
Package | Fixed Version |
---|---|
pkg:gem/date | = 2.0.1 |
pkg:gem/date | = 3.0.2 |
pkg:gem/date | = 3.1.2 |
pkg:gem/date | >= 3.2.1 |
- ID
- RUBYSEC:DATE-2021-41817
- Severity
- high
- URL
- https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/
- Published
-
2021-11-15T00:00:00
(2 years ago) - Modified
-
2023-05-15T18:05:13
(16 months ago) - Rights
- RubySec Security Team
- Other Advisories
-
- ALAS2-2023-2345
- ALPINE:CVE-2021-41817
- ALSA-2022:0543
- ALSA-2022:5779
- ALSA-2022:6447
- ALSA-2022:6450
- DSA-5066-1
- DSA-5067-1
- ELSA-2022-0543
- ELSA-2022-5779
- ELSA-2022-6447
- ELSA-2022-6450
- FEDORA-2022-82a9edac27
- FEDORA-2022-8cf0124add
- FREEBSD:6916EA94-4628-11EC-BBE2-0800270512F4
- GLSA-202401-27
- MS:CVE-2021-41817
- RHSA-2022:0543
- RHSA-2022:5779
- RHSA-2022:6447
- RHSA-2022:6450
- RLSA-2022:0543
- RLSA-2022:5779
- RLSA-2022:6447
- RLSA-2022:6450
- SUSE-SU-2022:1512-1
- SUSE-SU-2023:4176-1
- USN-5235-1
Source | # ID | Name | URL |
---|---|---|---|
Security Advisory | GHSA-qg54-694p-wgpp | https://github.com/advisories/GHSA-qg54-694p-wgpp |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |