CVE-2023-28756
ruby: ReDoS vulnerability in Time
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.
A flaw was found in the Time gem and Time library of Ruby. The Time parser mishandles invalid strings with specific characters and causes an increase in execution time for parsing strings to Time objects. This issue may result in a Regular expression denial of service (ReDoS).
It was discovered that Ruby incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause a denial of service. It was discovered that Ruby incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause a denial of service. This issue is being addressed only for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2023-03-23 CVE Reserved
- 2023-03-31 CVE Published
- 2024-11-27 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-1333: Inefficient Regular Expression Complexity
CAPEC
References (12)
| URL | Tag | Source |
|---|---|---|
| https://github.com/ruby/time/releases | Release Notes | |
| https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html | Mailing List |
|
| https://security.netapp.com/advisory/ntap-20230526-0004 | Third Party Advisory |
|
| https://www.ruby-lang.org/en/downloads/releases | Release Notes | |
| https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released | Release Notes |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | <= 2.7.7 Search vendor "Ruby-lang" for product "Ruby" and version " <= 2.7.7" | - |
Affected
| ||||||
| Ruby-lang Search vendor "Ruby-lang" | Time Search vendor "Ruby-lang" for product "Time" | 0.1.0 Search vendor "Ruby-lang" for product "Time" and version "0.1.0" | ruby |
Affected
| ||||||
| Ruby-lang Search vendor "Ruby-lang" | Time Search vendor "Ruby-lang" for product "Time" | 0.2.1 Search vendor "Ruby-lang" for product "Time" and version "0.2.1" | ruby |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 38 Search vendor "Fedoraproject" for product "Fedora" and version "38" | - |
Affected
| ||||||