VYPR
Moderate severityNVD Advisory· Published Aug 19, 2024· Updated Sep 3, 2024

fugit parse and parse_nat stall on lengthy input

CVE-2024-43380

Description

fugit contains time tools for flor and the floraison group. The fugit "natural" parser, that turns "every wednesday at 5pm" into "0 17 * * 3", accepted any length of input and went on attempting to parse it, not returning promptly, as expected. The parse call could hold the thread with no end in sight. Fugit dependents that do not check (user) input length for plausibility are impacted. A fix was released in fugit 1.11.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
fugitRubyGems
< 1.11.11.11.1

Affected products

14

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.