CVE-2023-28755
Published: 31 March 2023
A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.
Notes
| Author | Note |
|---|---|
| tyhicks | ruby{1.9.1,2.0,2.3} and jruby ship an embedded rubygems. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
jruby Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| focal |
Needed
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Needs triage
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Needs triage
|
|
| xenial |
Needed
|
|
|
ruby1.9.1 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| trusty |
Ignored
(out of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
ruby2.0 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| trusty |
Ignored
(out of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
ruby2.3 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(2.3.1-2~ubuntu16.04.16+esm7)
|
|
|
ruby2.5 Launchpad, Ubuntu, Debian |
bionic |
Released
(2.5.1-1ubuntu1.16)
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| trusty |
Ignored
(out of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(out of standard support)
|
|
|
ruby2.7 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Released
(2.7.0-5ubuntu1.11)
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| trusty |
Ignored
(out of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(out of standard support)
|
|
|
ruby3.1 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Needed
|
|
| lunar |
Needs triage
|
|
| trusty |
Ignored
(out of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(out of standard support)
|
|
|
rubygems Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Needed
|
|
| kinetic |
Needed
|
|
| lunar |
Needs triage
|
|
| trusty |
Ignored
(out of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(out of standard support)
|
|
|
Patches: upstream: https://github.com/rubygems/rubygems/commit/c620606ad04df08b15271ff24bdcd9626ad81818 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.3 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28755
- https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/
- https://github.com/ruby/uri/releases/
- https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/
- https://www.ruby-lang.org/en/downloads/releases/
- https://github.com/ruby/ruby/commit/8ce4ab146498879b65e22f1be951b25eebb79300
- https://ubuntu.com/security/notices/USN-6055-1
- https://ubuntu.com/security/notices/USN-6055-2
- https://ubuntu.com/security/notices/USN-6087-1
- NVD
- Launchpad
- Debian