Update Bindata Dependency Due To Security Issue

Question

Update Bindata Dependency Due To Security Issue

Gerst20051 opened this issue 4 years ago · 1 comments

Gerst20051 commented 4 years ago

Please check the following links to get more info:

rubysec/ruby-advisory-db#476
rubysec/ruby-advisory-db#483
dmendel/bindata@d99f050
GHSA-hj56-84jw-67h6

---
gem: bindata
cve: 2021-32823
ghsa: hj56-84jw-67h6
url: https://github.com/rubysec/ruby-advisory-db/issues/476
date: 2021-05-18
title: Potential Denial-of-Service in bindata
description: |
  In bindata before version 2.4.10, there is a potential denial-of-service
  vulnerability. In affected versions, it is very slow for certain classes in BinData
  to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002,
  BinData::Bit<N>. In combination with `<user_input>.constantize` there is a potential
  for a CPU-based DoS. In version 2.4.10, bindata improved the creation time of Bits
  and Integers.
cvss_v3: 3.7

patched_versions:
- ">= 2.4.10"

Answer 1 · 2021-06-24T08:54:41.000Z

Actually, all I needed to do was run bundle update json-jwt and the bindata sub dependency automatically got updated to the latest patched version 🎉