Description

A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

Related CPE's

a

ruby-lang

uri

4

o

debian

debian_linux

10.0

Vulnerable

o

fedoraproject

fedora

3

References

https://github.com/ruby/uri/releases/

Release Notes

https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/

https://security.gentoo.org/glsa/202401-27

https://security.netapp.com/advisory/ntap-20230526-0003/

Third Party Advisory

https://www.ruby-lang.org/en/downloads/releases/

Release Notes

https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/

Release Notes

https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/

Vendor Advisory

https://github.com/ruby/uri/releases/

Release Notes

https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/

https://security.gentoo.org/glsa/202401-27

https://security.netapp.com/advisory/ntap-20230526-0003/

Third Party Advisory

https://www.ruby-lang.org/en/downloads/releases/

Release Notes

https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/

Release Notes

https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/

Vendor Advisory

Weaknesses

[email protected]

Primary
CWE-1333

134c704f-9b21-4f2e-91b3-4a467353bcc0

Secondary
CWE-1333

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5.3 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2023-03-31T04:15:09.037

2 years ago

Last modified

2025-02-14T20:15:32.817

4 months ago