Moderate severityNVD Advisory· Published Aug 19, 2024· Updated Sep 3, 2024
fugit parse and parse_nat stall on lengthy input
CVE-2024-43380
Description
fugit contains time tools for flor and the floraison group. The fugit "natural" parser, that turns "every wednesday at 5pm" into "0 17 * * 3", accepted any length of input and went on attempting to parse it, not returning promptly, as expected. The parse call could hold the thread with no end in sight. Fugit dependents that do not check (user) input length for plausibility are impacted. A fix was released in fugit 1.11.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fugitRubyGems | < 1.11.1 | 1.11.1 |
Affected products
14- osv-coords13 versionspkg:apk/chainguard/logstashpkg:apk/chainguard/logstash-compatpkg:apk/chainguard/logstash-env2yamlpkg:apk/chainguard/logstash-jre-bcfipspkg:apk/chainguard/logstash-jre-bcfips-compatpkg:apk/chainguard/logstash-jre-bcfips-env2yamlpkg:apk/chainguard/logstash-jre-bcfips-with-output-opensearchpkg:apk/chainguard/logstash-with-output-opensearchpkg:apk/wolfi/logstashpkg:apk/wolfi/logstash-compatpkg:apk/wolfi/logstash-env2yamlpkg:apk/wolfi/logstash-with-output-opensearchpkg:gem/fugit
< 8.15.0-r1+ 12 more
- (no CPE)range: < 8.15.0-r1
- (no CPE)range: < 8.15.0-r1
- (no CPE)range: < 8.15.0-r1
- (no CPE)range: < 8.15.1-r0
- (no CPE)range: < 8.15.1-r0
- (no CPE)range: < 8.15.1-r0
- (no CPE)range: < 8.15.1-r0
- (no CPE)range: < 8.15.0-r1
- (no CPE)range: < 8.15.0-r1
- (no CPE)range: < 8.15.0-r1
- (no CPE)range: < 8.15.0-r1
- (no CPE)range: < 8.15.0-r1
- (no CPE)range: < 1.11.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-2m96-52r3-2f3gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-43380ghsaADVISORY
- github.com/floraison/fugit/commit/ad2c1c9c737213d585fff0b51c927d178b2c05a5ghsax_refsource_MISCWEB
- github.com/floraison/fugit/issues/104ghsax_refsource_MISCWEB
- github.com/floraison/fugit/security/advisories/GHSA-2m96-52r3-2f3gghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/fugit/CVE-2024-43380.ymlghsaWEB
News mentions
0No linked articles in our index yet.