CVE-2013-4363

Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.  NOTE: this issue is due to an incomplete fix for CVE-2013-4287.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:N/A:P
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 68%
VendorProductVersion
rubygemsrubygems
𝑥
≤ 1.8.23
rubygemsrubygems
1.8.0
rubygemsrubygems
1.8.1
rubygemsrubygems
1.8.2
rubygemsrubygems
1.8.3
rubygemsrubygems
1.8.4
rubygemsrubygems
1.8.5
rubygemsrubygems
1.8.6
rubygemsrubygems
1.8.7
rubygemsrubygems
1.8.8
rubygemsrubygems
1.8.9
rubygemsrubygems
1.8.10
rubygemsrubygems
1.8.11
rubygemsrubygems
1.8.12
rubygemsrubygems
1.8.13
rubygemsrubygems
1.8.14
rubygemsrubygems
1.8.15
rubygemsrubygems
1.8.16
rubygemsrubygems
1.8.17
rubygemsrubygems
1.8.18
rubygemsrubygems
1.8.19
rubygemsrubygems
1.8.20
rubygemsrubygems
1.8.21
rubygemsrubygems
1.8.22
rubygemsrubygems
1.8.24
rubygemsrubygems
1.8.25
rubygemsrubygems
1.8.26
rubygemsrubygems
2.0.0
rubygemsrubygems
2.0.0:preview2
rubygemsrubygems
2.0.0:preview2.1
rubygemsrubygems
2.0.0:preview2.2
rubygemsrubygems
2.0.0:rc1
rubygemsrubygems
2.0.0:rc2
rubygemsrubygems
2.0.1
rubygemsrubygems
2.0.2
rubygemsrubygems
2.0.3
rubygemsrubygems
2.0.4
rubygemsrubygems
2.0.5
rubygemsrubygems
2.0.6
rubygemsrubygems
2.0.7
rubygemsrubygems
2.0.8
rubygemsrubygems
2.0.9
rubygemsrubygems
2.1.0
rubygemsrubygems
2.1.0:rc1
rubygemsrubygems
2.1.0:rc2
rubygemsrubygems
2.1.1
rubygemsrubygems
2.1.2
rubygemsrubygems
2.1.3
rubygemsrubygems
2.1.4
ruby-langruby
1.9
ruby-langruby
1.9.1
ruby-langruby
1.9.2
ruby-langruby
1.9.3
ruby-langruby
1.9.3:p0
ruby-langruby
1.9.3:p125
ruby-langruby
1.9.3:p194
ruby-langruby
1.9.3:p286
ruby-langruby
1.9.3:p383
ruby-langruby
1.9.3:p385
ruby-langruby
1.9.3:p392
ruby-langruby
1.9.3:p426
ruby-langruby
1.9.3:p429
ruby-langruby
2.0
ruby-langruby
2.0.0
ruby-langruby
2.0.0:p0
ruby-langruby
2.0.0:p195
ruby-langruby
2.0.0:p247
ruby-langruby
2.0.0:preview1
ruby-langruby
2.0.0:preview2
ruby-langruby
2.0.0:rc1
ruby-langruby
2.0.0:rc2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
rubygems
bullseye
3.2.5-2
fixed
bookworm
3.3.15-2
fixed
sid
3.4.20-1
fixed
trixie
3.4.20-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jruby
raring
ignored
quantal
ignored
precise
ignored
lucid
ignored
ruby1.9.1
raring
ignored
quantal
ignored
precise
ignored
lucid
ignored
rubygems
raring
ignored
quantal
ignored
precise
ignored
lucid
dne
Common Weakness Enumeration
References
http://blog.rubygems.org/2013/09/24/CVE-2013-4363.html
http://www.openwall.com/lists/oss-security/2013/09/14/3
http://www.openwall.com/lists/oss-security/2013/09/18/8
http://www.openwall.com/lists/oss-security/2013/09/20/1
https://puppet.com/security/cve/cve-2013-4363
http://blog.rubygems.org/2013/09/24/CVE-2013-4363.html
http://www.openwall.com/lists/oss-security/2013/09/14/3
http://www.openwall.com/lists/oss-security/2013/09/18/8
http://www.openwall.com/lists/oss-security/2013/09/20/1
https://puppet.com/security/cve/cve-2013-4363