In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. In affected versions it is very slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>. In combination with <user_input>.constantize there is a potential for a CPU-based DoS. In version 2.4.10 bindata improved the creation time of Bits and Integers.
{
"unresolved_ranges": [
{
"extracted_events": [
{
"introduced": "12.0"
},
{
"fixed": "13.10.5"
},
{
"introduced": "12.0"
},
{
"fixed": "13.10.5"
},
{
"introduced": "13.11.0"
},
{
"fixed": "13.11.5"
},
{
"introduced": "13.11.0"
},
{
"fixed": "13.11.5"
},
{
"introduced": "13.12.0"
},
{
"fixed": "13.12.2"
},
{
"introduced": "13.12.0"
},
{
"fixed": "13.12.2"
}
],
"source": "CPE_RANGE",
"vendor_product": "gitlab:gitlab",
"cpes": [
"cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*",
"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*"
]
}
]
}{
"source": [
"CPE_RANGE",
"REFERENCES"
],
"cpe": "cpe:2.3:a:bindata_project:bindata:*:*:*:*:*:ruby:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "2.4.10"
}
]
}