In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. In affected versions it is very slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>. In combination with <user_input>.constantize there is a potential for a CPU-based DoS. In version 2.4.10 bindata improved the creation time of Bits and Integers.
References
Link | Resource |
---|---|
https://about.gitlab.com/releases/2021/06/01/security-release-gitlab-13-12-2-released/#update-bindata-dependency | Third Party Advisory |
https://github.com/dmendel/bindata/blob/v2.4.10/ChangeLog.rdoc#version-2410-2021-05-18- | Third Party Advisory |
https://github.com/dmendel/bindata/commit/d99f050b88337559be2cb35906c1f8da49531323 | Patch Third Party Advisory |
https://github.com/rubysec/ruby-advisory-db/issues/476 | Exploit Patch Third Party Advisory |
https://rubygems.org/gems/bindata | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2021-06-23T23:40:12
Updated: 2021-06-23T23:40:11
Reserved: 2021-05-12T00:00:00
Link: CVE-2021-32823
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-06-24T00:15:08.103
Modified: 2022-10-25T14:20:46.857
Link: CVE-2021-32823
JSON object: View
Redhat Information
No data.
CWE