CVE-2023-28755
ruby2.5 - security update
7.5
HIGH
CVSS 3.1
EPSS 0.37%
Description
A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.
How to fix CVE-2023-28755
To remediate CVE-2023-28755, upgrade the affected package to a fixed version below.
- —upgrade to 2.7.8-r0 or later
- —no fix listed
- —upgrade to 2.5.5-3+deb10u5 or later
- —upgrade to 2.7.4-1+deb11u2 or later
- —no fix listed
- —upgrade to 3.2.5-2+deb11u1 or later
- —upgrade to 0.12.1 or later
Is CVE-2023-28755 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (7)
- from 0, < 2.7.8-r0
- from 0
- from 0, < 2.5.5-3+deb10u5
- from 0, < 2.7.4-1+deb11u2
- from 0
- from 0, < 3.2.5-2+deb11u1
- >= 0.12.0, < 0.12.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |