CVE-2025-27221

Опубликовано: 03 мар. 2025

Источник: redhat

CVSS3: 3.2

Описание

In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.

A flaw was found in the URI ruby gem package, where userinfo leakage can occur in the uri gem. The methods URI#join, URI#merge, and URI#+ retained userinfo, such as user:password, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak can occur.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 9	ruby-30	Fix deferred
Red Hat Enterprise Linux 9	ruby-31	Fix deferred
Red Hat Enterprise Linux 9	ruby-33	Fix deferred
Red Hat Enterprise Linux 10	ruby	Fixed	RHSA-2025:8131	26.05.2025
Red Hat Enterprise Linux 8	ruby	Fixed	RHSA-2025:4063	23.04.2025
Red Hat Enterprise Linux 9	ruby	Fixed	RHSA-2025:4488	06.05.2025
Red Hat Enterprise Linux 9	ruby	Fixed	RHSA-2025:4493	06.05.2025

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low

Дефект:

CWE-212

https://bugzilla.redhat.com/show_bug.cgi?id=2349700uri: userinfo leakage in URI#join, URI#merge and URI#+

3.2 Low

CVSS3

Связанные уязвимости

CVE-2025-27221

CVSS3: 3.2

ubuntu

4 месяца назад

CVE-2025-27221

CVSS3: 3.2

nvd

4 месяца назад

CVE-2025-27221

CVSS3: 5.3

msrc

3 месяца назад

Описание отсутствует

CVE-2025-27221

CVSS3: 3.2

debian

4 месяца назад

In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.jo ...

ROS-20250417-13

CVSS3: 5.3

redos

2 месяца назад

Уязвимость ruby

3.2 Low

CVSS3