PT-2021-3937 · Ruby+1 · Addressable+1

Sporkmonger

Published

2021-07-03

Updated

2024-06-15

CVE-2021-32740

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Addressable versions 2.3.0 through 2.7.0

Description The issue is related to an uncontrolled resource consumption vulnerability in the Addressable library, which is an alternative implementation to the URI implementation in Ruby's standard library. This vulnerability can be exploited by a maliciously crafted template, leading to denial of service when matched against a URI. Typically, templates would not be read from untrusted user input, but previous security advisories have not cautioned against this practice. Users of the parsing capabilities in Addressable, but not the URI template capabilities, are unaffected.

Recommendations For Addressable versions 2.3.0 through 2.7.0, update to version 2.8.0 to resolve the issue. As a temporary workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking.

Exploit

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1333CWE-400

Related Identifiers

ALT-PU-2021-2674

ALT-PU-2022-2550

BDU:2021-04454

CVE-2021-32740

GHSA-JXHC-Q857-3J6G

MGASA-2021-0417

OESA-2021-1278

OPENSUSE-SU-2024:11592-1

OPENSUSE-SU-2024:12247-1

OPENSUSE-SU-2024:13157-1

RHSA-2021:4702

SUSE-SU-2021:2927-1

SUSE-SU-2021:2928-1

Affected Products

Alt Linux

Addressable

PT-2021-3937 · Ruby+1 · Addressable+1

CVE-2021-32740

Weakness Enumeration

Related Identifiers

Affected Products

References · 42