Bugzilla – Bug 1212890
VUL-0: CVE-2023-36617: ruby2.1,ruby,ruby2.5,ruby3.2: rubygem-uri: vulnerability for ReDoS
Last modified: 2023-09-15 00:11:31 UTC
CVE-2023-36617 A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-36617 https://bugzilla.redhat.com/show_bug.cgi?id=2218614 https://www.cve.org/CVERecord?id=CVE-2023-36617 https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/
Tracking as affected: - SUSE:SLE-15:Update/ruby2.5 - SUSE:ALP:Source:Standard:1.0/ruby3.2 3.2.2 - openSUSE:Factory/ruby3.2 3.2.2
Fix: https://github.com/ruby/ruby/pull/7995/files
(In reply to Hu from comment #2) > Fix: https://github.com/ruby/ruby/pull/7995/files This is actually the fix for the intree copy of uri in bundler. Our bundler package does not have that intree copy yet. ``` commit 995ce947bed7e92bcda185f164d43089e6a1cf5e Author: Nobuyoshi Nakada <nobu@ruby-lang.org> Date: Sat Apr 22 20:09:10 2023 +0900 [ruby/uri] Fix quadratic backtracking on invalid port number https://hackerone.com/reports/1958260 https://github.com/ruby/uri/commit/9d7bcef1e6 commit 1eff362492f4a0ca8d6d036c958afa7961e827f0 Author: Nobuyoshi Nakada <nobu@ruby-lang.org> Date: Sat Apr 22 20:08:32 2023 +0900 [ruby/uri] Fix quadratic backtracking on invalid relative URI https://hackerone.com/reports/1958260 https://github.com/ruby/uri/commit/9010ee2536 ```