Lucene search

Veracode Vulnerability DatabaseVERACODE:41084

HistoryJun 30, 2023 - 3:59 a.m.

Regular Expression Denial Of Service (ReDoS)

2023-06-3003:59:11

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

regular expression denial of service

redos

inefficient regex pattern

cve-2023-28755

vulnerability

uri

crash

application

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

0.002 Low

EPSS

Percentile

61.0%

JSON

uri is vulnerable to Regular Expression Denial Of Service (ReDoS). The vulnerability exists due to inefficient Regex pattern complexity used in rfc2396_parser.rb and rfc3986_parser.rb., which allows an attacker to crash the application by providing maliciously crafted URI patterns. NOTE: This issue exists because of an incomplete fix for CVE-2023-28755

CPENameOperatorVersion
urile0.10.2
urile0.11.1
urile0.10.0.2
urile0.12.1
urile0.10.2
urile0.11.1
urile0.10.0.2
urile0.12.1

Name	Operator	Version
uri	le	0.10.2
uri	le	0.11.1
uri	le	0.10.0.2
uri	le	0.12.1
uri	le	0.10.2
uri	le	0.11.1
uri	le	0.10.0.2
uri	le	0.12.1

References

github.com/ruby/uri/commit/05b1e7d026b886e65a60ee35625229da9ec220bb

github.com/ruby/uri/commit/38bf797c488bcb4a37fb322bfa84977981863ec6

github.com/ruby/uri/commit/3cd938df20db26c9439e9f681aadfb9bbeb6d1c0

github.com/ruby/uri/commit/4d02315181d8a485496f1bb107a6ab51d6f3a35f

github.com/ruby/uri/commit/70794abc162bb15bb934713b5669713d6700d35c

github.com/ruby/uri/commit/7e33934c91b7f8f3ea7b7a4258b468e19f636bc3

github.com/ruby/uri/commit/9a8e0cc03da964054c2a4ea26b59c53c3bae4921

github.com/ruby/uri/commit/ba36c8a3ecad8c16dd3e60a6da9abd768206c8fa

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ/

security.netapp.com/advisory/ntap-20230725-0002/

www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

0.002 Low

EPSS

Percentile

61.0%

JSON

Regular Expression Denial Of Service (ReDoS)

References

Related