{ "schema_version": "1.4.0", "id": "GHSA-hv5j-3h9f-99c2", "modified": "2025-02-14T22:15:24Z", "published": "2023-03-31T06:30:15Z", "aliases": [ "CVE-2023-28755" ], "summary": "Ruby URI component ReDoS issue", "details": "A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "affected": [ { "package": { "ecosystem": "RubyGems", "name": "uri" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.12.0" }, { "fixed": "0.12.1" } ] } ], "versions": [ "0.12.0" ] }, { "package": { "ecosystem": "RubyGems", "name": "uri" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.11.0" }, { "fixed": "0.11.1" } ] } ], "versions": [ "0.11.0" ] }, { "package": { "ecosystem": "RubyGems", "name": "uri" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.10.1" }, { "fixed": "0.10.2" } ] } ], "versions": [ "0.10.1" ] }, { "package": { "ecosystem": "RubyGems", "name": "uri" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.10.0.1" } ] } ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28755" }, { "type": "WEB", "url": "https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755" }, { "type": "WEB", "url": "https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released" }, { "type": "WEB", "url": "https://www.ruby-lang.org/en/downloads/releases" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230526-0003" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202401-27" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2023-28755.yml" }, { "type": "WEB", "url": "https://github.com/ruby/uri/releases" }, { "type": "PACKAGE", "url": "https://github.com/ruby/uri" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-03-31T22:43:59Z", "nvd_published_at": "2023-03-31T04:15:00Z" } }