RubySec

Providing security resources for the Ruby community

CVE-2013-4363 (rubygems-update): RubyGems Multiple API Call Version Validation CPU Consumption DoS

ADVISORIES

GEM

rubygems-update

SEVERITY

CVSS v2: 4.3

PATCHED VERSIONS

  • ~> 1.8.23.2
  • ~> 1.8.27
  • ~> 2.0.10
  • >= 2.1.5

DESCRIPTION

RubyGems contains a flaw that may allow a denial of service. The issue is triggered when handling the gem build, Gem::Package, or Gem::PackageTask API calls, which attempt to validate the version of the program. This may allow a context-dependent attacker to cause a consumption of CPU resources and crash the program. This vulnerability is due to an incomplete fix for CVE-2013-4287, which allowed a denial of service via improper validation.