Описание
A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| rubygems | fixed | 3.4.20-1 | package | |
| rubygems | no-dsa | bookworm | package | |
| ruby3.1 | removed | package | ||
| ruby3.1 | no-dsa | bookworm | package | |
| ruby2.7 | removed | package | ||
| ruby2.5 | removed | package | ||
| jruby | fixed | 9.4.3.0+ds-1~exp1 | experimental | package |
| jruby | fixed | 9.4.5.0+ds-1 | package | |
| jruby | ignored | bookworm | package |
Примечания
Fixed by: https://github.com/ruby/ruby/commit/8ce4ab146498879b65e22f1be951b25eebb79300 (v3_1_4)
Fixed by: https://github.com/ruby/uri/commit/eaf89cc31619d49e67c64d0b58ea9dc38892d175 (v0.12.1)
https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/
Incomplete fix, cf. CVE-2023-36617
https://github.com/jruby/jruby/commit/7e220403384faef102e838b412b4d1b3a9cfb6ec (9.4.3.0)
EPSS
Связанные уязвимости
A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.
A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.
A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.
Уязвимость компонента URI языка программирования Ruby, связанная с использованием регулярного выражения c неэффективной вычислительной сложностью, позволяющая нарушителю вызвать отказ в обслуживании
EPSS