CVE-2023-28756

Published: Mar 31, 2023Modified: Nov 4, 2025

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

Affected (7)

Products: Ruby Lang: Ruby, Time · Debian: Debian Linux · Fedoraproject: Fedora

2 products

1 product

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Ruby Lang Ruby	Up to 2.7.7
Ruby Lang Time	Version 0.1.0
Ruby Lang Time	Version 0.2.1

Configuration B

4 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Fedoraproject Fedora	Version 36
Fedoraproject Fedora	Version 37
Fedoraproject Fedora	Version 38

Related CWEs

Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

References (21)

https://github.com/ruby/time/releases/

Source: cve@mitre.org

Release Notes

https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/

Source: cve@mitre.org

https://security.gentoo.org/glsa/202401-27

Source: cve@mitre.org

https://security.netapp.com/advisory/ntap-20230526-0004/

Source: cve@mitre.org

Third Party Advisory

https://www.ruby-lang.org/en/downloads/releases/

Source: cve@mitre.org

Release Notes

https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/

Source: cve@mitre.org

Release Notes

https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/

Source: cve@mitre.org

Vendor Advisory

https://github.com/ruby/time/releases/

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/202401-27

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.netapp.com/advisory/ntap-20230526-0004/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.ruby-lang.org/en/downloads/releases/

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.