Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1odjVqLTNoOWYtOTljMs4AAyes
Ruby URI component ReDoS issue
A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.
Permalink: https://github.com/advisories/GHSA-hv5j-3h9f-99c2JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1odjVqLTNoOWYtOTljMs4AAyes
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: 3 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-hv5j-3h9f-99c2, CVE-2023-28755
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-28755
- https://github.com/ruby/uri/releases/
- https://www.ruby-lang.org/en/downloads/releases/
- https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/
- https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2023-28755.yml
- https://lists.fedoraproject.org/archives/list/[email protected]/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/
- https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
- https://security.netapp.com/advisory/ntap-20230526-0003/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/
- https://security.gentoo.org/glsa/202401-27
- https://github.com/advisories/GHSA-hv5j-3h9f-99c2
Blast Radius: 23.0
Affected Packages
rubygems:uri
Dependent packages: 66Dependent repositories: 1,166
Downloads: 16,837,925 total
Affected Version Ranges: < 0.10.0.1, = 0.10.1, = 0.11.0, = 0.12.0
Fixed in: 0.10.0.1, 0.10.2, 0.11.1, 0.12.1
All affected versions: 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.11.0, 0.11.1, 0.11.2, 0.12.0, 0.12.1, 0.12.2, 0.13.0
All unaffected versions: