Описание
In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| ruby3.3 | fixed | 3.3.7-2 | package | |
| ruby3.1 | removed | package | ||
| ruby3.1 | no-dsa | bookworm | package | |
| ruby2.7 | removed | package | ||
| rubygems | fixed | 3.6.6-1 | package | |
| rubygems | no-dsa | bookworm | package |
Примечания
https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495 (v1.0.3)
https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5 (v1.0.3)
https://github.com/ruby/uri/pull/154
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.yml
Связанные уязвимости
In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.
In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.
In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.
