CVE-2013-4363

medium

Published 2013-09-24 · Modified 2024-11-29

CVSS v3

—

CVSS v2

4.3

VIR risk

4.3

Description

Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2013-4363

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://www.openwall.com/lists/oss-security/2013/09/20/1

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://www.openwall.com/lists/oss-security/2013/09/18/8

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://www.openwall.com/lists/oss-security/2013/09/14/3

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://blog.rubygems.org/2013/09/24/CVE-2013-4363.html

OS impact

OS	Version	Status	Fixed in
debian	bookworm	fixed	`3.2.0~rc.1-1`
debian	bullseye	fixed	`3.2.0~rc.1-1`
debian	forky	fixed	`3.2.0~rc.1-1`
debian	sid	fixed	`3.2.0~rc.1-1`
debian	trixie	fixed	`3.2.0~rc.1-1`

Package impact

Ecosystem	Package	Vulnerable	Fixed
RubyGems	rubygems-update	`<~> 1.8.23.2`	`~> 1.8.23.2`
RubyGems	rubygems-update	`<1.8.23.2`	`1.8.23.2`
RubyGems	rubygems-update	`>=1.8.24,<1.8.27`	`1.8.27`
RubyGems	rubygems-update	`>=2.0.0,<2.0.10`	`2.0.10`
RubyGems	rubygems-update	`>=2.1.0,<2.1.5`	`2.1.5`

Application impact

Vendor	Product	Versions
rubygems	rubygems	`{"endIncluding":"1.8.23"}`
rubygems	rubygems	`1.8.0`
rubygems	rubygems	`1.8.1`
rubygems	rubygems	`1.8.2`
rubygems	rubygems	`1.8.3`
rubygems	rubygems	`1.8.4`
rubygems	rubygems	`1.8.5`
rubygems	rubygems	`1.8.6`
rubygems	rubygems	`1.8.7`
rubygems	rubygems	`1.8.8`
rubygems	rubygems	`1.8.9`
rubygems	rubygems	`1.8.10`
rubygems	rubygems	`1.8.11`
rubygems	rubygems	`1.8.12`
rubygems	rubygems	`1.8.13`
rubygems	rubygems	`1.8.14`
rubygems	rubygems	`1.8.15`
rubygems	rubygems	`1.8.16`
rubygems	rubygems	`1.8.17`
rubygems	rubygems	`1.8.18`
rubygems	rubygems	`1.8.19`
rubygems	rubygems	`1.8.20`
rubygems	rubygems	`1.8.21`
rubygems	rubygems	`1.8.22`
rubygems	rubygems	`1.8.24`
rubygems	rubygems	`1.8.25`
rubygems	rubygems	`1.8.26`
rubygems	rubygems	`2.0.0`
rubygems	rubygems	`2.0.1`
rubygems	rubygems	`2.0.2`
rubygems	rubygems	`2.0.3`
rubygems	rubygems	`2.0.4`
rubygems	rubygems	`2.0.5`
rubygems	rubygems	`2.0.6`
rubygems	rubygems	`2.0.7`
rubygems	rubygems	`2.0.8`
rubygems	rubygems	`2.0.9`
rubygems	rubygems	`2.1.0`
rubygems	rubygems	`2.1.1`
rubygems	rubygems	`2.1.2`
rubygems	rubygems	`2.1.3`
rubygems	rubygems	`2.1.4`
ruby-lang	ruby	`1.9`
ruby-lang	ruby	`1.9.1`
ruby-lang	ruby	`1.9.2`
ruby-lang	ruby	`1.9.3`
ruby-lang	ruby	`2.0`
ruby-lang	ruby	`2.0.0`

References

CWEs

CWE-310

Verify integrity in audit chain (admin only). AS-IS.