GSD-2023-28755
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-28755",
"id": "GSD-2023-28755"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-28755"
],
"details": "A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.",
"id": "GSD-2023-28755",
"modified": "2023-12-13T01:20:48.707169Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2023-28755",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/",
"refsource": "MISC",
"url": "https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/"
},
{
"name": "https://www.ruby-lang.org/en/downloads/releases/",
"refsource": "MISC",
"url": "https://www.ruby-lang.org/en/downloads/releases/"
},
{
"name": "https://github.com/ruby/uri/releases/",
"refsource": "MISC",
"url": "https://github.com/ruby/uri/releases/"
},
{
"name": "https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/",
"refsource": "CONFIRM",
"url": "https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/"
},
{
"name": "FEDORA-2023-6b924d3b75",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/"
},
{
"name": "FEDORA-2023-a7be7ea1aa",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/"
},
{
"name": "FEDORA-2023-f58d72c700",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/"
},
{
"name": "[debian-lts-announce] 20230430 [SECURITY] [DLA 3408-1] jruby security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20230526-0003/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20230526-0003/"
},
{
"name": "GLSA-202401-27",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202401-27"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=0.10.1 \u003c=0.12.0",
"affected_versions": "All versions starting from 0.10.1 up to 0.12.0",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"cwe_ids": [
"CWE-1035",
"CWE-1333",
"CWE-937"
],
"date": "2023-05-30",
"description": "A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.",
"fixed_versions": [
"0.12.1"
],
"identifier": "CVE-2023-28755",
"identifiers": [
"CVE-2023-28755",
"GHSA-hv5j-3h9f-99c2"
],
"not_impacted": "All versions before 0.10.1, all versions after 0.12.0",
"package_slug": "gem/uri",
"pubdate": "2023-03-31",
"solution": "Upgrade to version 0.12.1 or above.",
"title": "Ruby URI component ReDoS issue",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2023-28755",
"https://github.com/ruby/uri/releases/",
"https://www.ruby-lang.org/en/downloads/releases/",
"https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/",
"https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/",
"https://github.com/advisories/GHSA-hv5j-3h9f-99c2"
],
"uuid": "5073da6d-e466-4fd6-b6a4-f108063d6a6f"
}
]
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "ADDFECF7-5F46-498B-9862-55DA03C8F07B",
"versionEndIncluding": "0.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ruby-lang:uri:0.10.1:*:*:*:*:ruby:*:*",
"matchCriteriaId": "9AEC0027-E0D8-4E68-BDFC-6FAEFF01FEEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ruby-lang:uri:0.11.0:*:*:*:*:ruby:*:*",
"matchCriteriaId": "3D764446-C057-4529-B486-CA7C9D38E48A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ruby-lang:uri:0.12.0:*:*:*:*:ruby:*:*",
"matchCriteriaId": "8C229D83-75B1-4874-B2A9-764FBA12C517",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
"matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
"matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*",
"matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1."
}
],
"id": "CVE-2023-28755",
"lastModified": "2024-01-24T05:15:12.900",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-31T04:15:09.037",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/ruby/uri/releases/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/"
},
{
"source": "cve@mitre.org",
"url": "https://security.gentoo.org/glsa/202401-27"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20230526-0003/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.ruby-lang.org/en/downloads/releases/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…