ReDoS Vulnerability in Ruby URI Component Before Version 0.12.2
CVE-2023-36617

5.3MEDIUM

Key Information:

Vendor: Ruby-lang
Status: Uri
Vendor: CVE Published:; 29 June 2023

What is CVE-2023-36617?

A ReDoS vulnerability has been identified in the URI component of Ruby, affecting versions prior to 0.12.2. The issue arises from the URI parser's inability to handle specific invalid URL characters correctly, leading to significant delays in execution time when parsing strings into URI objects. This vulnerability is linked to an incomplete fix for a previous issue (CVE-2023-28755), which emphasizes the need for users to update to version 0.10.3 or later to mitigate potential risks.

References

https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri...

https://security.netapp.com/advisory/ntap-20230725-0002/

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 29, 2023
Vulnerability Reserved
Jun 25, 2023

Ruby-lang

What is CVE-2023-36617?

References

CVSS V3.1

Timeline