CVE-2023-28756: Ruby Time component ReDos issue

March 31, 2023 (updated January 24, 2024)

A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

References

github.com/advisories/GHSA-fg7x-g82r-94qc
github.com/ruby/time/releases/
nvd.nist.gov/vuln/detail/CVE-2023-28756
www.ruby-lang.org/en/downloads/releases/
www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/
www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/

Detect and mitigate CVE-2023-28756 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →