PT-2021-7337 · Ruby+10 · Date Gem+11
Svalkanov
·
Published
2021-11-15
·
Updated
2025-12-12
·
CVE-2021-41817
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
date gem versions prior to 3.2.1
date gem versions prior to 3.1.2
date gem versions prior to 3.0.2
date gem versions prior to 2.0.1
Description
The issue is related to a ReDoS (regular expression Denial of Service) vulnerability in the date gem for Ruby, which can be exploited by using a long string. This can lead to a denial of service. The vulnerability is due to the use of regular expressions internally in the date parsing methods, including
Date.parse. Applications and libraries that apply such methods to untrusted input may be affected.Recommendations
For date gem versions prior to 3.2.1, update to version 3.2.1 or later.
For date gem versions prior to 3.1.2, update to version 3.1.2 or later.
For date gem versions prior to 3.0.2, update to version 3.0.2 or later.
For date gem versions prior to 2.0.1, update to version 2.0.1 or later.
As a temporary workaround, consider using
Date.strptime instead with a predefined date format, such as Date.strptime('2001-02-20', '%Y-%m-%d').Exploit
Fix
DoS
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Red Os
Rocky Linux
Ruby
Suse
Ubuntu
Date Gem