CVE-2024-43380

Published: Aug 19, 2024Modified: Aug 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

fugit contains time tools for flor and the floraison group. The fugit "natural" parser, that turns "every wednesday at 5pm" into "0 17 * * 3", accepted any length of input and went on attempting to parse it, not returning promptly, as expected. The parse call could hold the thread with no end in sight. Fugit dependents that do not check (user) input length for plausibility are impacted. A fix was released in fugit 1.11.1.

Affected (1)

Products: Floraison: Fugit

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Floraison Fugit	Before 1.11.1

Related CWEs

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (3)

https://github.com/floraison/fugit/commit/ad2c1c9c737213d585fff0b51c927d178b2c05a5

Source: security-advisories@github.com

Patch

https://github.com/floraison/fugit/issues/104

Source: security-advisories@github.com

Issue TrackingPatch

https://github.com/floraison/fugit/security/advisories/GHSA-2m96-52r3-2f3g

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.