ReDoS Vulnerability in Ruby URI Component
CVE-2023-28755

5.3MEDIUM

Key Information:

Vendor: Ruby-lang
Status: Uri
Vendor: CVE Published:; 31 March 2023

What is CVE-2023-28755?

A vulnerability in the URI component of Ruby versions up to 0.12.0 allows a ReDoS attack due to improper handling of invalid URLs containing specific characters. This flaw can significantly increase the execution time when parsing strings to URI objects, potentially leading to denial of service. Users are advised to upgrade to Ruby URI Component versions 0.12.1, 0.11.1, 0.10.2, or 0.10.0.1 to mitigate this issue.

References

https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-r...

https://www.ruby-lang.org/en/downloads/releases/

https://github.com/ruby/uri/releases/

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 31, 2023
Vulnerability Reserved
Mar 23, 2023

Ruby-lang

What is CVE-2023-28755?

References

CVSS V3.1

Timeline