CVE-2023-28755: ReDoS vulnerability in URI

Author:
Source

Sponsored:

Atlas of AI: Power, Politics, and the Planetary Costs of Artificial Intelligence - Audiobook


Uncover the true cost of artificial intelligence.

"Atlas of AI" by Kate Crawford exposes how power, politics, and profit extract from our planet, our labor, and our freedom.

From hidden mines to massive data empires, discover how AI is reshaping who we are—and who holds control.

Listen now, and see the system behind the screens before the future listens to you. = > Atlas of AI $0.00 with trial. Read by Larissa Gallagher


We have released the uri gem version 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1 that has a security fix for a ReDoS vulnerability.
This vulnerability has been assigned the CVE identifier CVE-2023-28755.

Details

A ReDoS issue was discovered in the URI component. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects.

The uri gem version 0.12.0, 0.11.0, 0.10.1, 0.10.0 and all versions prior 0.10.0 are vulnerable for this vulnerability.

Recommended action

We recommend to update the uri gem to 0.12.1. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:

  • For Ruby 2.7: Update to uri 0.10.0.1
  • For Ruby 3.0: Update to uri 0.10.2
  • For Ruby 3.1: Update to uri 0.11.1
  • For Ruby 3.2: Update to uri 0.12.1

You can use gem update uri to update it. If you are using bundler, please add gem "uri", ">= 0.12.1" (or other version mentioned above) to your Gemfile.

Affected versions

  • uri gem 0.12.0
  • uri gem 0.11.0
  • uri gem 0.10.1
  • uri gem 0.10.0 or before

Credits

Thanks to Dominic Couture for discovering this issue.

History

  • Originally published at 2023-03-28 01:00:00 (UTC)
  • Update Affected versions at 2023-03-28 02:00:00 (UTC)

Posted by hsbt on 28 Mar 2023

Read more