CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS
Percentile
72.3%
A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb
and rfc3986_parser.rb
.
NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.
The Ruby advisory recommends updating the uri gem to 0.12.2. In order to ensure compatibility with the bundled version in older Ruby series, you may update as follows instead:
You can use gem update uri to update it. If you are using bundler, please add gem uri
, >= 0.12.2
(or other version mentioned above) to your Gemfile.
Vendor | Product | Version | CPE |
---|---|---|---|
lambdaisland | uri | * | cpe:2.3:a:lambdaisland:uri:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-hww2-5g85-429m
github.com/ruby/uri/commit/05b1e7d026b886e65a60ee35625229da9ec220bb
github.com/ruby/uri/commit/38bf797c488bcb4a37fb322bfa84977981863ec6
github.com/ruby/uri/commit/3cd938df20db26c9439e9f681aadfb9bbeb6d1c0
github.com/ruby/uri/commit/4d02315181d8a485496f1bb107a6ab51d6f3a35f
github.com/ruby/uri/commit/70794abc162bb15bb934713b5669713d6700d35c
github.com/ruby/uri/commit/7e33934c91b7f8f3ea7b7a4258b468e19f636bc3
github.com/ruby/uri/commit/9a8e0cc03da964054c2a4ea26b59c53c3bae4921
github.com/ruby/uri/commit/ba36c8a3ecad8c16dd3e60a6da9abd768206c8fa
github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2023-36617.yml
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ
nvd.nist.gov/vuln/detail/CVE-2023-36617
security.netapp.com/advisory/ntap-20230725-0002
www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617