Vulnerability Details : CVE-2021-41817
Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.
Vulnerability category: Denial of service
Products affected by CVE-2021-41817
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise:12.0:*:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise:15.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:date:*:*:*:*:*:ruby:*:*
- cpe:2.3:a:ruby-lang:date:*:*:*:*:*:ruby:*:*
- cpe:2.3:a:ruby-lang:date:*:*:*:*:*:ruby:*:*
- cpe:2.3:a:ruby-lang:date:3.2.0:*:*:*:*:ruby:*:*
- cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
- cpe:2.3:a:opensuse:factory:-:*:*:*:*:*:*:*
Threat overview for CVE-2021-41817
Top countries where our scanners detected CVE-2021-41817
Top open port discovered on systems with this issue
53
IPs affected by CVE-2021-41817 686,104
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2021-41817!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2021-41817
0.74%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 81 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-41817
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2021-41817
-
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-41817
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/
[SECURITY] Fedora 34 Update: ruby-3.0.4-153.fc34 - package-announce - Fedora Mailing-Lists
-
https://hackerone.com/reports/1254844
HackerOnePermissions Required
-
https://security.gentoo.org/glsa/202401-27
Ruby: Multiple vulnerabilities (GLSA 202401-27) — Gentoo security
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUXQCH6FRKANCVZO2Q7D2SQX33FP3KWN/
[SECURITY] Fedora 34 Update: ruby-3.0.4-153.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/
[SECURITY] Fedora 35 Update: ruby-3.0.4-153.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/
CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date Parsing MethodsExploit;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UTOJGS5IEFDK3UOO7IY4OTTFGHGLSWZF/
[SECURITY] Fedora 35 Update: ruby-3.0.4-153.fc35 - package-announce - Fedora Mailing-Lists
Jump to