Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Update Bindata Dependency Due To Security Issue #94

Closed
Gerst20051 opened this issue Jun 24, 2021 · 1 comment
Closed

Update Bindata Dependency Due To Security Issue #94

Gerst20051 opened this issue Jun 24, 2021 · 1 comment

Comments

@Gerst20051
Copy link

Gerst20051 commented Jun 24, 2021
edited
Loading

Please check the following links to get more info:

rubysec/ruby-advisory-db#476
rubysec/ruby-advisory-db#483
dmendel/bindata@d99f050
GHSA-hj56-84jw-67h6

---
gem: bindata
cve: 2021-32823
ghsa: hj56-84jw-67h6
url: https://github.com/rubysec/ruby-advisory-db/issues/476
date: 2021-05-18
title: Potential Denial-of-Service in bindata
description: |
  In bindata before version 2.4.10, there is a potential denial-of-service
  vulnerability. In affected versions, it is very slow for certain classes in BinData
  to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002,
  BinData::Bit<N>. In combination with `<user_input>.constantize` there is a potential
  for a CPU-based DoS. In version 2.4.10, bindata improved the creation time of Bits
  and Integers.
cvss_v3: 3.7

patched_versions:
- ">= 2.4.10"
@Gerst20051
Copy link
Author

Actually, all I needed to do was run bundle update json-jwt and the bindata sub dependency automatically got updated to the latest patched version 🎉

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Gerst20051