CVE-2023-28756
Ruby Time component ReDoS issue
7.5
HIGH
CVSS 3.1
EPSS 0.71%
Description
A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.
How to fix CVE-2023-28756
To remediate CVE-2023-28756, upgrade the affected package to a fixed version below.
- —upgrade to 2.7.8-r0 or later
- —upgrade to 2.7.8 or later
- —upgrade to 2.7.8 or later
- —no fix listed
- —upgrade to 2.7.4-1+deb11u2 or later
- —no fix listed
- —upgrade to 0.2.2 or later
Is CVE-2023-28756 being exploited?
Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.
Affected packages (7)
- from 0, < 2.7.8-r0
- from 0, < 2.7.8
- from 0, < 2.7.8
- from 0
- from 0, < 2.7.4-1+deb11u2
- from 0
- >= 0.2.0, < 0.2.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |