5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
0.002 Low
EPSS
Percentile
61.0%
uri is vulnerable to Regular Expression Denial Of Service (ReDoS). The vulnerability exists due to inefficient Regex pattern complexity used in rfc2396_parser.rb
and rfc3986_parser.rb.
, which allows an attacker to crash the application by providing maliciously crafted URI patterns. NOTE: This issue exists because of an incomplete fix for CVE-2023-28755
github.com/ruby/uri/commit/05b1e7d026b886e65a60ee35625229da9ec220bb
github.com/ruby/uri/commit/38bf797c488bcb4a37fb322bfa84977981863ec6
github.com/ruby/uri/commit/3cd938df20db26c9439e9f681aadfb9bbeb6d1c0
github.com/ruby/uri/commit/4d02315181d8a485496f1bb107a6ab51d6f3a35f
github.com/ruby/uri/commit/70794abc162bb15bb934713b5669713d6700d35c
github.com/ruby/uri/commit/7e33934c91b7f8f3ea7b7a4258b468e19f636bc3
github.com/ruby/uri/commit/9a8e0cc03da964054c2a4ea26b59c53c3bae4921
github.com/ruby/uri/commit/ba36c8a3ecad8c16dd3e60a6da9abd768206c8fa
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ/
security.netapp.com/advisory/ntap-20230725-0002/
www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/