CVE-2013-4363 - OpenCVE

Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:M/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ruby-lang	Ruby
Rubygems	Rubygems

Configuration 1 [-]

OR	cpe:2.3:a:rubygems:rubygems::::::::
	cpe:2.3:a:rubygems:rubygems:1.8.0:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.1:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.2:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.3:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.4:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.5:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.6:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.7:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.8:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.9:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.10:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.11:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.12:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.13:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.14:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.15:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.16:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.17:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.18:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.19:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.20:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.21:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.22:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.24:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.25:::::::*
	cpe:2.3:a:rubygems:rubygems:1.8.26:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.0:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.0:preview2::::::
	cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.1::::::
	cpe:2.3:a:rubygems:rubygems:2.0.0:preview2.2::::::
	cpe:2.3:a:rubygems:rubygems:2.0.0:rc1::::::
	cpe:2.3:a:rubygems:rubygems:2.0.0:rc2::::::
	cpe:2.3:a:rubygems:rubygems:2.0.1:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.2:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.3:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.4:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.5:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.6:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.7:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.8:::::::*
	cpe:2.3:a:rubygems:rubygems:2.0.9:::::::*
	cpe:2.3:a:rubygems:rubygems:2.1.0:::::::*
	cpe:2.3:a:rubygems:rubygems:2.1.0:rc1::::::
	cpe:2.3:a:rubygems:rubygems:2.1.0:rc2::::::
	cpe:2.3:a:rubygems:rubygems:2.1.1:::::::*
	cpe:2.3:a:rubygems:rubygems:2.1.2:::::::*
	cpe:2.3:a:rubygems:rubygems:2.1.3:::::::*
	cpe:2.3:a:rubygems:rubygems:2.1.4:::::::*

Configuration 2 [-]

OR	cpe:2.3:a:ruby-lang:ruby:1.9:::::::*
	cpe:2.3:a:ruby-lang:ruby:1.9.1:::::::*
	cpe:2.3:a:ruby-lang:ruby:1.9.2:::::::*
	cpe:2.3:a:ruby-lang:ruby:1.9.3:::::::*
	cpe:2.3:a:ruby-lang:ruby:1.9.3:p0::::::
	cpe:2.3:a:ruby-lang:ruby:1.9.3:p125::::::
	cpe:2.3:a:ruby-lang:ruby:1.9.3:p194::::::
	cpe:2.3:a:ruby-lang:ruby:1.9.3:p286::::::
	cpe:2.3:a:ruby-lang:ruby:1.9.3:p383::::::
	cpe:2.3:a:ruby-lang:ruby:1.9.3:p385::::::
	cpe:2.3:a:ruby-lang:ruby:1.9.3:p392::::::
	cpe:2.3:a:ruby-lang:ruby:1.9.3:p426::::::
	cpe:2.3:a:ruby-lang:ruby:1.9.3:p429::::::
	cpe:2.3:a:ruby-lang:ruby:2.0:::::::*
	cpe:2.3:a:ruby-lang:ruby:2.0.0:::::::*
	cpe:2.3:a:ruby-lang:ruby:2.0.0:p0::::::
	cpe:2.3:a:ruby-lang:ruby:2.0.0:p195::::::
	cpe:2.3:a:ruby-lang:ruby:2.0.0:p247::::::
	cpe:2.3:a:ruby-lang:ruby:2.0.0:preview1::::::
	cpe:2.3:a:ruby-lang:ruby:2.0.0:preview2::::::
	cpe:2.3:a:ruby-lang:ruby:2.0.0:rc1::::::
	cpe:2.3:a:ruby-lang:ruby:2.0.0:rc2::::::

No data.

References

Link	Providers
http://blog.rubygems.org/2013/09/24/CVE-2013-4363.html
http://www.openwall.com/lists/oss-security/2013/09/14/3
http://www.openwall.com/lists/oss-security/2013/09/18/8
http://www.openwall.com/lists/oss-security/2013/09/20/1
https://nvd.nist.gov/vuln/detail/CVE-2013-4363
https://puppet.com/security/cve/cve-2013-4363
https://www.cve.org/CVERecord?id=CVE-2013-4363

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2013-10-17T23:00:00

Updated: 2024-08-06T16:38:01.886Z

Reserved: 2013-06-12T00:00:00

Link: CVE-2013-4363

Vulnrichment

No data.

NVD

Status : Modified

Published: 2013-10-17T23:55:04.440

Modified: 2017-12-09T02:29:01.857

Link: CVE-2013-4363

Redhat

Severity : Moderate

Publid Date: 2013-09-15T00:00:00Z

Links: CVE-2013-4363 - Bugzilla

Metrics

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

Metrics

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object