First published: Wed Jun 23 2021(Updated: )
In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. In affected versions it is very slow for certain classes in BinData to be created. For example `BinData::Bit100000`, `BinData::Bit100001`, `BinData::Bit100002`, `BinData::Bit<N>`. In combination with `<user_input>.constantize` there is a potential for a CPU-based DoS. In version 2.4.10, bindata improved the creation time of Bits and Integers.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Bindata Project Bindata | <2.4.10 | |
GitLab GitLab | >=12.0 | |
GitLab GitLab | >=12.0 | |
GitLab GitLab | >=12.0<13.10.5 | |
GitLab GitLab | >=12.0<13.10.5 | |
GitLab GitLab | >=13.11.0<13.11.5 | |
GitLab GitLab | >=13.11.0<13.11.5 | |
GitLab GitLab | >=13.12.0<13.12.2 | |
GitLab GitLab | >=13.12.0<13.12.2 | |
rubygems/bindata | <2.4.10 | 2.4.10 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-32823 is a potential denial-of-service vulnerability in the bindata RubyGem before version 2.4.10.
In affected versions of bindata, certain classes in BinData, such as BinData::Bit100000 and BinData::Bit100001, are very slow to be created, resulting in a potential denial-of-service vulnerability.
The bindata RubyGem before version 2.4.10, as well as Gitlab versions 12.0 and above (both Community and Enterprise editions) are affected by CVE-2021-32823.
CVE-2021-32823 has a severity rating of medium (3.7).
To fix CVE-2021-32823, update the bindata RubyGem to version 2.4.10 or higher.