RubySec

Providing security resources for the Ruby community

CVE-2021-32823 (bindata): Potential Denial-of-Service in bindata

ADVISORIES

GEM

bindata

SEVERITY

CVSS v3: 3.7

PATCHED VERSIONS

  • >= 2.4.10

DESCRIPTION

In bindata before version 2.4.10, there is a potential denial-of-service vulnerability. In affected versions, it is very slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit. In combination with `.constantize` there is a potential for a CPU-based DoS. In version 2.4.10, bindata improved the creation time of Bits and Integers.