[RUBYSEC:URI-2023-36617] ReDoS vulnerability in URI
We have released the uri gem version 0.12.2, 0.10.3 that has a
security fix for a ReDoS vulnerability. This vulnerability has
been assigned the CVE identifier CVE-2023-36617.
Details
A ReDoS issue was discovered in the URI component through 0.12.1
for Ruby. The URI parser mishandles invalid URLs that have specific
characters. There is an increase in execution time for parsing
strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb.
NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755.
The uri gem version 0.12.1 and all versions prior 0.12.1 are
vulnerable for this vulnerability.
Recommended action
We recommend to update the uri gem to 0.12.2.
In order to ensure compatibility with bundled version in older
Ruby series, you may update as follows instead:
- For Ruby 3.0: Update to uri 0.10.3
For Ruby 3.1 and 3.2: Update to uri 0.12.2
You can use gem update uri to update it. If you are using bundler,
please add gem "uri", ">= 0.12.2" (or other version mentioned
above) to your Gemfile.Affected versions: uri gem 0.12.1 or before
| Package | Affected Version |
|---|---|
 pkg:gem/uri
|
< 0.12.2 |
| Package | Fixed Version |
|---|---|
|
pkg:gem/uri
|
= 0.10.0.3 |
|
pkg:gem/uri
|
= 0.10.3 |
|
pkg:gem/uri
|
= 0.11.2 |
|
pkg:gem/uri
|
>= 0.12.2 |
- ID
- RUBYSEC:URI-2023-36617
- Severity
- medium
- URL
- https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617
- Published
-
2023-06-29T00:00:00
(14 months ago) - Modified
-
2023-07-15T12:33:46
(14 months ago) - Rights
- RubySec Security Team
- Other Advisories
-
-
ALPINE:CVE-2023-28755
-
ALSA-2023:3821
-
ALSA-2023:7025
-
ALSA-2024:1431
-
ALSA-2024:1576
-
ALSA-2024:3500
-
ALSA-2024:3838
-
ALSA-2024:4499
-
ELSA-2023-3821
-
ELSA-2023-7025
-
ELSA-2024-1431
-
ELSA-2024-1576
-
ELSA-2024-3500
-
ELSA-2024-3838
-
ELSA-2024-4499
-
FEDORA-2023-6b924d3b75
-
FEDORA-2023-a7be7ea1aa
-
FEDORA-2023-f58d72c700
-
FEDORA-2024-31cac8b8ec
-
FEDORA-2024-48bdd3abbf
-
FREEBSD:9B60BBA1-CF18-11ED-BD44-080027F5FEC9
-
GLSA-202401-27
-
RHSA-2023:3821
-
RHSA-2023:7025
-
RHSA-2024:1431
-
RHSA-2024:1576
-
RHSA-2024:3500
-
RHSA-2024:3838
-
RHSA-2024:4499
-
RUBYSEC:URI-2023-28755
-
SSA:2023-090-01
-
SUSE-SU-2023:4176-1
-
USN-6055-1
-
USN-6055-2
-
USN-6087-1
-
USN-6181-1
-
USN-6219-1
-
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |