PT-2013-4937 · Ruby+3 · Rubygems+3

Damir Sharipov

Published

2013-10-09

Updated

2025-09-29

CVE-2013-4287

CVSS v2.0

4.3

Medium

Vector

AV:N/AC:M/Au:N/C:N/I:N/A:P

Name of the Vulnerable Software and Affected Versions RubyGems versions 1.8.24 through 1.8.25 RubyGems versions 2.0.x through 2.0.7 RubyGems versions 2.1.x through 2.1.0 RubyGems version 1.8.23 and earlier

Description The issue allows remote attackers to cause a denial of service via a crafted gem version that triggers a large amount of backtracking in a regular expression in the Gem::Version::VERSION PATTERN in lib/rubygems/version.rb. This can lead to CPU consumption.

Recommendations For RubyGems versions 1.8.24 through 1.8.25, update to version 1.8.26 or later. For RubyGems versions 2.0.x through 2.0.7, update to version 2.0.8 or later. For RubyGems versions 2.1.x through 2.1.0, update to version 2.1.1 or later. For RubyGems version 1.8.23 and earlier, update to version 1.8.23.1 or later. As a temporary workaround, consider restricting the use of the Gem::Version::VERSION PATTERN until a patch is available.

Exploit

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-310

Related Identifiers

ALSA-2025_16880

ALT-PU-2016-2061

CESA-2013_1441

CVE-2013-4287

GHSA-9J7M-RJQX-48VH

MGASA-2013-0297

RHSA-2013:1427

RHSA-2013:1441

RHSA-2013:1523

RHSA-2013:1852

RHSA-2013_1441

RHSA-2014:0207

Affected Products

Alt Linux

Centos

Red Hat

Rubygems

PT-2013-4937 · Ruby+3 · Rubygems+3

CVE-2013-4287

Weakness Enumeration

Related Identifiers

Affected Products

References · 28