CVE-2013-4287
First published: Thu Oct 17 2013(Updated: )
Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in `lib/rubygems/version.rb` in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/rubygems-update | >=2.1.0.rc.1<2.1.0 | 2.1.0 |
| rubygems/rubygems-update | >=2.0.0<2.0.8 | 2.0.8 |
| rubygems/rubygems-update | >=1.8.24<1.8.26 | 1.8.26 |
| rubygems/rubygems-update | <1.8.23.1 | 1.8.23.1 |
| Red Hat Enterprise Linux | =6.0 | |
| RubyGems Mail Gem | <=1.8.23 | |
| RubyGems Mail Gem | =1.8.0 | |
| RubyGems Mail Gem | =1.8.1 | |
| RubyGems Mail Gem | =1.8.2 | |
| RubyGems Mail Gem | =1.8.3 | |
| RubyGems Mail Gem | =1.8.4 | |
| RubyGems Mail Gem | =1.8.5 | |
| RubyGems Mail Gem | =1.8.6 | |
| RubyGems Mail Gem | =1.8.7 | |
| RubyGems Mail Gem | =1.8.8 | |
| RubyGems Mail Gem | =1.8.9 | |
| RubyGems Mail Gem | =1.8.10 | |
| RubyGems Mail Gem | =1.8.11 | |
| RubyGems Mail Gem | =1.8.12 | |
| RubyGems Mail Gem | =1.8.13 | |
| RubyGems Mail Gem | =1.8.14 | |
| RubyGems Mail Gem | =1.8.15 | |
| RubyGems Mail Gem | =1.8.16 | |
| RubyGems Mail Gem | =1.8.17 | |
| RubyGems Mail Gem | =1.8.18 | |
| RubyGems Mail Gem | =1.8.19 | |
| RubyGems Mail Gem | =1.8.20 | |
| RubyGems Mail Gem | =1.8.21 | |
| RubyGems Mail Gem | =1.8.22 | |
| RubyGems Mail Gem | =1.8.24 | |
| RubyGems Mail Gem | =1.8.25 | |
| RubyGems Mail Gem | =2.0.0 | |
| RubyGems Mail Gem | =2.0.1 | |
| RubyGems Mail Gem | =2.0.2 | |
| RubyGems Mail Gem | =2.0.3 | |
| RubyGems Mail Gem | =2.0.4 | |
| RubyGems Mail Gem | =2.0.5 | |
| RubyGems Mail Gem | =2.0.6 | |
| RubyGems Mail Gem | =2.0.7 | |
| RubyGems Mail Gem | =2.1.0-rc1 | |
| RubyGems Mail Gem | =2.1.0-rc2 | |
| Ruby | =1.9 | |
| Ruby | =1.9.1 | |
| Ruby | =1.9.2 | |
| Ruby | =1.9.3 | |
| Ruby | =1.9.3-p0 | |
| Ruby | =1.9.3-p125 | |
| Ruby | =1.9.3-p194 | |
| Ruby | =1.9.3-p286 | |
| Ruby | =1.9.3-p383 | |
| Ruby | =1.9.3-p385 | |
| Ruby | =1.9.3-p392 | |
| Ruby | =1.9.3-p426 | |
| Ruby | =1.9.3-p429 | |
| Ruby | =2.0 | |
| Ruby | =2.0.0 | |
| Ruby | =2.0.0-p0 | |
| Ruby | =2.0.0-p195 | |
| Ruby | =2.0.0-p247 | |
| Ruby | =2.0.0-preview1 | |
| Ruby | =2.0.0-preview2 | |
| Ruby | =2.0.0-rc1 | |
| Ruby | =2.0.0-rc2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://blog.rubygems.org/2013/09/09/CVE-2013-4287.html
- http://rhn.redhat.com/errata/RHSA-2013-1427.html
- http://rhn.redhat.com/errata/RHSA-2013-1441.html
- http://rhn.redhat.com/errata/RHSA-2013-1523.html
- http://rhn.redhat.com/errata/RHSA-2013-1852.html
- http://rhn.redhat.com/errata/RHSA-2014-0207.html
- http://secunia.com/advisories/55381
- http://www.openwall.com/lists/oss-security/2013/09/10/1
- https://puppet.com/security/cve/cve-2013-4287
Frequently Asked Questions
What is the severity of CVE-2013-4287?
CVE-2013-4287 is considered to have a medium severity as it allows remote attackers to cause a denial of service.
How do I fix CVE-2013-4287?
To fix CVE-2013-4287, update RubyGems to versions 1.8.26, 1.8.23.1, 2.0.8, or 2.1.0.
Which versions of RubyGems are affected by CVE-2013-4287?
Versions of RubyGems prior to 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0 are affected.
What type of vulnerability is CVE-2013-4287?
CVE-2013-4287 is an algorithmic complexity vulnerability affecting the version handling in RubyGems.
Are Ruby versions also affected by CVE-2013-4287?
Yes, Ruby versions from 1.9.0 through 2.0.0p247 can be affected when using vulnerable RubyGems.
- collector/github-advisory-latest
- alias/GHSA-9j7m-rjqx-48vh
- alias/CVE-2013-4287
- collector/github-advisory
- agent/author
- agent/type
- agent/remedy
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/rubygems
- vendor/redhat
- canonical/red hat enterprise linux
- version/red hat enterprise linux/6.0
- vendor/rubygems
- canonical/rubygems mail gem
- version/rubygems mail gem/1.8.23
- version/rubygems mail gem/1.8.0
- version/rubygems mail gem/1.8.1
- version/rubygems mail gem/1.8.2
- version/rubygems mail gem/1.8.3
- version/rubygems mail gem/1.8.4
- version/rubygems mail gem/1.8.5
- version/rubygems mail gem/1.8.6
- version/rubygems mail gem/1.8.7
- version/rubygems mail gem/1.8.8
- version/rubygems mail gem/1.8.9
- version/rubygems mail gem/1.8.10
- version/rubygems mail gem/1.8.11
- version/rubygems mail gem/1.8.12
- version/rubygems mail gem/1.8.13
- version/rubygems mail gem/1.8.14
- version/rubygems mail gem/1.8.15
- version/rubygems mail gem/1.8.16
- version/rubygems mail gem/1.8.17
- version/rubygems mail gem/1.8.18
- version/rubygems mail gem/1.8.19
- version/rubygems mail gem/1.8.20
- version/rubygems mail gem/1.8.21
- version/rubygems mail gem/1.8.22
- version/rubygems mail gem/1.8.24
- version/rubygems mail gem/1.8.25
- version/rubygems mail gem/2.0.0
- version/rubygems mail gem/2.0.1
- version/rubygems mail gem/2.0.2
- version/rubygems mail gem/2.0.3
- version/rubygems mail gem/2.0.4
- version/rubygems mail gem/2.0.5
- version/rubygems mail gem/2.0.6
- version/rubygems mail gem/2.0.7
- version/rubygems mail gem/2.1.0-rc1
- version/rubygems mail gem/2.1.0-rc2
- vendor/ruby-lang
- canonical/ruby
- version/ruby/1.9
- version/ruby/1.9.1
- version/ruby/1.9.2
- version/ruby/1.9.3
- version/ruby/1.9.3-p0
- version/ruby/1.9.3-p125
- version/ruby/1.9.3-p194
- version/ruby/1.9.3-p286
- version/ruby/1.9.3-p383
- version/ruby/1.9.3-p385
- version/ruby/1.9.3-p392
- version/ruby/1.9.3-p426
- version/ruby/1.9.3-p429
- version/ruby/2.0
- version/ruby/2.0.0
- version/ruby/2.0.0-p0
- version/ruby/2.0.0-p195
- version/ruby/2.0.0-p247
- version/ruby/2.0.0-preview1
- version/ruby/2.0.0-preview2
- version/ruby/2.0.0-rc1
- version/ruby/2.0.0-rc2