CVE-2023-28755: ReDoS vulnerability in URI
-
We have released the uri gem version 0.10.0.1, 0.10.2, 0.11.1 and 0.12.1 that has a security fix for a ReDoS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2023-28755.
Details
A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects.
Please update the uri gem to version 0.12.1 or later. We also release for old uri gem with Ruby releases. Please use them if you need to only security fix.
- For Ruby 2.7 users: URI 0.10.0.1
- For Ruby 3.0 users: URI 0.10.2
- For Ruby 3.1 users: URI 0.11.1
- For Ruby 3.2 users: URI 0.12.1
You can use
gem update uri
to update it. If you are using bundler, please addgem "uri", ">= 0.12.1"
to yourGemfile
.Affected versions
- uri gem 0.12.0
- uri gem 0.11.0
- uri gem 0.10.0 or 0.10.1
Credits
Thanks to Dominic Couture for discovering this issue.
History
- Originally published at 2023-03-28 01:00:00 (UTC)
Posted by hsbt on 28 Mar 2023
https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/
© Lightnetics 2024