6. CVE-2023-28755: ReDoS vulnerability in URI

CVE-2023-28755: ReDoS vulnerability in URI


  • We have released the uri gem version 0.10.0.1, 0.10.2, 0.11.1 and 0.12.1 that has a security fix for a ReDoS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2023-28755.

    Details

    A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects.

    Please update the uri gem to version 0.12.1 or later. We also release for old uri gem with Ruby releases. Please use them if you need to only security fix.

    • For Ruby 2.7 users: URI 0.10.0.1
    • For Ruby 3.0 users: URI 0.10.2
    • For Ruby 3.1 users: URI 0.11.1
    • For Ruby 3.2 users: URI 0.12.1

    You can use gem update uri to update it. If you are using bundler, please add gem "uri", ">= 0.12.1" to your Gemfile.

    Affected versions

    • uri gem 0.12.0
    • uri gem 0.11.0
    • uri gem 0.10.0 or 0.10.1

    Credits

    Thanks to Dominic Couture for discovering this issue.

    History

    • Originally published at 2023-03-28 01:00:00 (UTC)

    Posted by hsbt on 28 Mar 2023



    https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/
Log in to reply
 

© Lightnetics 2024