RedCloth Regular Expression Denial of Service issue
Published: June 06, 2023
SECURITY IDENTIFIERS
- CVE: CVE-2023-31606 (NVD)
- GHSA: GHSA-qcm3-vfq5-wfr2
- Vendor Advisory: https://github.com/e23e/CVE-2023-31606#readme
GEM
SEVERITY
CVSS v3.x: 7.5 (High)
UNAFFECTED VERSIONS
< 4.0.0
PATCHED VERSIONS
>= 4.3.3
DESCRIPTION
A Regular Expression Denial of Service (ReDoS) issue was discovered in the "sanitize_html" function of RedCloth gem >= v4.0.0. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2023-31606
- https://github.com/e23e/CVE-2023-31606#readme
- https://github.com/jgarber/redcloth/issues/73
- https://github.com/jgarber/redcloth/blob/v4.3.2/lib/redcloth/formatters/html.rb#L327
- https://github.com/advisories/GHSA-qcm3-vfq5-wfr2
- https://github.com/jgarber/redcloth/pull/75
- https://github.com/jgarber/redcloth/blob/v4.3.3/lib/redcloth/formatters/html.rb#L327