CVE-2023-36617

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-36617

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-36617.json

Aliases

GHSA-hww2-5g85-429m

Related

ALSA-2024:1431
ALSA-2024:1576
RLSA-2024:1431
RLSA-2024:1576
USN-6219-1

Withdrawn

2024-05-15T05:32:13.073184Z

Published

2023-06-29T13:15:09Z

Modified

2023-11-29T10:08:00.593221Z

Summary

[none]

Details

A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396parser.rb and rfc3986parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.

References

https://security.netapp.com/advisory/ntap-20230725-0002/
https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/

Affected packages

Git / github.com/ruby/uri

Affected ranges

Type: GIT
Repo: https://github.com/ruby/uri
Events: Introduced

1619f713e60ddffd238276e5f03f4f916074476b

Fixed

988ab017b7ee69a2e1b12b64382ae137522af03a

Affected versions

v0.*

v0.11.0

v0.12.0

v0.12.1