CVE-2021-32740
Regular Expression Denial of Service in Addressable templates
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected. The vulnerability is patched in version 2.8.0. As a workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking.
Addressable es una implementación alternativa a la implementación URI que forma parte de la biblioteca estándar de Ruby. Se presenta una vulnerabilidad de consumo de recursos no controlados después de la versión 2.3.0 hasta la versión 2.7.0. Dentro de la implementación de plantillas URI en Addressable, una plantilla diseñada maliciosamente puede resultar en un consumo no controlado de recursos, conllevando a una denegación de servicio cuando se compara con una URI. En el uso típico, las plantillas no se leerían normalmente de la entrada de un usuario no fiable, pero sin embargo, ningún aviso de seguridad anterior para Addressable ha sido advertido en contra esto. Unos usuarios de las capacidades de análisis de Addressable, pero no de las capacidades de plantillas URI, no están afectados. La vulnerabilidad está parcheada en la versión 2.8.0. Como solución, sólo cree objetos de Plantilla desde fuentes confiables que hayan sido comprobadas para no producir retrocesos catastróficos
A resource-consumption vulnerability was found in rubygem addressable, where its URI template implementation could allow an attacker's crafted template to consume resources, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-05-12 CVE Reserved
- 2021-07-06 CVE Published
- 2024-03-21 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://github.com/sporkmonger/addressable/security/advisories/GHSA-jxhc-q857-3j6g | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/sporkmonger/addressable/commit/0d8a3127e35886ce9284810a7f2438bff6b43cbc | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Addressable Project Search vendor "Addressable Project" | Addressable Search vendor "Addressable Project" for product "Addressable" | >= 2.3.0 < 2.8.0 Search vendor "Addressable Project" for product "Addressable" and version " >= 2.3.0 < 2.8.0" | ruby |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 34 Search vendor "Fedoraproject" for product "Fedora" and version "34" | - |
Affected
| ||||||