CVE-2024-43380

fugit contains time tools for flor and the floraison group. The fugit "natural" parser, that turns "every wednesday at 5pm" into "0 17 * * 3", accepted any length of input and went on attempting to parse it, not returning promptly, as expected. The parse call could hold the thread with no end in sight. Fugit dependents that do not check (user) input length for plausibility are impacted. A fix was released in fugit 1.11.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
GitHub_MCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 27%
VendorProductVersion
floraisonfugit
𝑥
< 1.11.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ruby-fugit
bullseye
postponed
bookworm
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ruby-fugit
plucky
needs-triage
oracular
needs-triage
noble
needs-triage
jammy
needs-triage
focal
needs-triage
Common Weakness Enumeration
References
https://github.com/floraison/fugit/commit/ad2c1c9c737213d585fff0b51c927d178b2c05a5
https://github.com/floraison/fugit/issues/104
https://github.com/floraison/fugit/security/advisories/GHSA-2m96-52r3-2f3g