CVE-2023-28756
First published: Fri Mar 31 2023(Updated: )
A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ruby-lang Ruby | <=2.7.7 | |
| Ruby-lang Time | =0.1.0 | |
| Ruby-lang Time | =0.2.1 | |
| Debian Debian Linux | =10.0 | |
| Fedoraproject Fedora | =36 | |
| Fedoraproject Fedora | =37 | |
| Fedoraproject Fedora | =38 | |
| rubygems/time | <0.1.1 | 0.1.1 |
| rubygems/time | >=0.2.0<0.2.2 | 0.2.2 |
| debian/jruby | <=9.3.9.0+ds-8 | 9.4.8.0+ds-1 |
| debian/ruby2.7 | <=2.7.4-1+deb11u1 | 2.7.4-1+deb11u3 |
| debian/ruby3.1 | <=3.1.2-7+deb12u1<=3.1.2-8.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/ruby/time/releases/
- https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/
- https://security.netapp.com/advisory/ntap-20230526-0004/
- https://www.ruby-lang.org/en/downloads/releases/
- https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/
- https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/
- https://security.gentoo.org/glsa/202401-27
- https://nvd.nist.gov/vuln/detail/CVE-2023-28756
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/time/CVE-2023-28756.yml
- https://github.com/advisories/GHSA-fg7x-g82r-94qc (Advisory)
- https://launchpad.net/bugs/cve/CVE-2023-28756
- https://access.redhat.com/errata/RHSA-2023:3291
- https://access.redhat.com/errata/RHSA-2023:3821
- https://access.redhat.com/security/cve/cve-2023-28756
- https://access.redhat.com/errata/RHSA-2023:7025
- https://access.redhat.com/errata/RHSA-2024:1431
- https://access.redhat.com/errata/RHSA-2024:1576
- https://access.redhat.com/errata/RHSA-2024:3500
- https://access.redhat.com/errata/RHSA-2024:3838
- https://bugzilla.redhat.com/show_bug.cgi?id=2184061
- https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e
- https://github.com/ruby/time/commit/b57db51f577875d3e896dcd2ef1dcaf97f23e943
- https://github.com/ruby/time/commit/3dce6f73d14f5fad6d9b302393fd02df48797b11
- https://github.com/jruby/jruby/commit/36637a1b4e434cbb75c8f87be128b7763cedf99d
- https://security-tracker.debian.org/tracker/CVE-2023-28756
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28756
- https://ubuntu.com/security/CVE-2023-28756
Frequently Asked Questions
What is CVE-2023-28756?
CVE-2023-28756 is a ReDoS (Regular Expression Denial of Service) vulnerability discovered in the Time component of Ruby versions up to 3.2.1.
What is the severity of CVE-2023-28756?
CVE-2023-28756 has a severity rating of 7.5 (high).
How does CVE-2023-28756 affect Ruby?
CVE-2023-28756 affects the Time component in Ruby versions up to 3.2.1.
How can I fix CVE-2023-28756?
To fix CVE-2023-28756, you need to upgrade Ruby to version 0.1.1 or version 0.2.2, depending on the affected package.
Where can I find more information about CVE-2023-28756?
You can find more information about CVE-2023-28756 on the official Ruby website.
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/severity
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-fg7x-g82r-94qc
- alias/CVE-2023-28756
- collector/github-advisory
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- collector/security-tracker-debian
- source/Debian
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/nvd-cve
- agent/softwarecombine
- agent/tags
- agent/description
- agent/trending
- vendor/ruby-lang
- canonical/ruby-lang ruby
- version/ruby-lang ruby/2.7.7
- canonical/ruby-lang time
- version/ruby-lang time/0.1.0
- version/ruby-lang time/0.2.1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/36
- version/fedoraproject fedora/37
- version/fedoraproject fedora/38
- package-manager/rubygems
- package-manager/debian