CVE-2023-36617 — URI gem has ReDoS vulnerability

Description

A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.

How to fix CVE-2023-36617

To remediate CVE-2023-36617, upgrade the affected package to a fixed version below.

—upgrade to 2.7.4-1+deb11u2 or later
—upgrade to 0.10.3 or later

Is CVE-2023-36617 being exploited?

Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.7.4-1+deb11u2
>= 0.10.1, < 0.10.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References (18)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-36617
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-36617
PATCHgithub.com/ruby/uri
WEBgithub.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2023-36617.yml