CVE-2021-32823

Published: Jun 24, 2021Modified: Nov 21, 2024

3.7

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Exploitability: 2.2 / Impact: 1.4

Source: NVD

Description

In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. In affected versions it is very slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>. In combination with <user_input>.constantize there is a potential for a CPU-based DoS. In version 2.4.10 bindata improved the creation time of Bits and Integers.

Affected (7)

Products: Bindata Project: Bindata · Gitlab: Gitlab

Bindata Project

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Bindata Project Bindata	Before 2.4.10

Configuration B

6 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 12.0 to 13.10.5
Gitlab Gitlab	From 13.11.0 to 13.11.5
Gitlab Gitlab	From 13.12.0 to 13.12.2
Gitlab Gitlab	From 12.0 to 13.10.5
Gitlab Gitlab	From 13.11.0 to 13.11.5
Gitlab Gitlab	From 13.12.0 to 13.12.2

Related CWEs

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (10)

https://about.gitlab.com/releases/2021/06/01/security-release-gitlab-13-12-2-released/#update-bindata-dependency

Source: security-advisories@github.com

Third Party Advisory

https://github.com/dmendel/bindata/blob/v2.4.10/ChangeLog.rdoc#version-2410-2021-05-18-

Source: security-advisories@github.com

Third Party Advisory

https://github.com/dmendel/bindata/commit/d99f050b88337559be2cb35906c1f8da49531323

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/rubysec/ruby-advisory-db/issues/476

Source: security-advisories@github.com

ExploitPatchThird Party Advisory

https://rubygems.org/gems/bindata

Source: security-advisories@github.com

Third Party Advisory

https://about.gitlab.com/releases/2021/06/01/security-release-gitlab-13-12-2-released/#update-bindata-dependency

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/dmendel/bindata/blob/v2.4.10/ChangeLog.rdoc#version-2410-2021-05-18-

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/dmendel/bindata/commit/d99f050b88337559be2cb35906c1f8da49531323

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/rubysec/ruby-advisory-db/issues/476

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

https://rubygems.org/gems/bindata

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.