5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-43380

GHSA ID

GHSA-2m96-52r3-2f3g

EPSS Score

0.3196%

CWE

CWE-400

Published

8/19/2024

Updated

8/21/2024

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-43380

CVE-2024-43380: fugit parse and parse_nat stall on lengthy input

Impact

The fugit "natural" parser, that turns "every wednesday at 5pm" into "0 17 * * 3", accepted any length of input and went on attempting to parse it, not returning promptly, as expected. The parse call could hold the thread with no end in sight.

Fugit dependents that do not check (user) input length for plausability are impacted.

Patches

Problem was reported in #104 and the fix was released in fugit 1.11.1

Workarounds

By making sure that Fugit.parse(s), Fugit.do_parse(s), Fugit.parse_nat(s), Fugit.do_parse_nat(s), Fugit::Nat.parse(s), and Fugit::Nat.do_parse(s) are not fed strings too long. 1000 chars feels ok, while 10_000 chars makes it stall.

In fewer words, making sure those fugit methods are not fed unvetted input strings.

References

gh-104

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-43380

GHSA ID

GHSA-2m96-52r3-2f3g

EPSS Score

0.3196%

CWE

CWE-400

Published

8/19/2024

Updated

8/21/2024

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
fugit	rubygems	< 1.11.1	1.11.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability documentation explicitly lists these six methods in workarounds and advisories. All affected functions handle input parsing without length validation, allowing attackers to submit arbitrarily long strings that trigger excessive processing. The commit diff shows test adjustments for parsing performance, confirming these methods' involvement. The CWE-400 classification directly maps to the uncontrolled resource consumption exhibited by these functions. File paths are inferred from standard Ruby gem structure and method namespaces (Fugit core vs Fugit::Nat module).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** *u*it "n*tur*l" p*rs*r, t**t turns "*v*ry w**n*s**y *t *pm" into "* ** * * *", ****pt** *ny l*n*t* o* input *n* w*nt on *tt*mptin* to p*rs* it, not r*turnin* promptly, *s *xp**t**. T** p*rs* **ll *oul* *ol* t** t*r*** wit* no *n* in s

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly lists t**s* six m*t*o*s in work*roun*s *n* **visori*s. *ll *****t** *un*tions **n*l* input p*rsin* wit*out l*n*t* v*li**tion, *llowin* *tt**k*rs to su*mit *r*itr*rily lon* strin*s t**t tri***r *x**ssiv* pro*

5.3

Basic Information

Concerned about an active attack path?

CVE-2024-43380: fugit parse and parse_nat stall on lengthy input

Impact

Patches

Workarounds

References

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI