CVE-2023-28755 : A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through

A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

Published 2023-03-31 04:15:09

Updated 2025-02-14 20:15:33

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2023-28755

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 36
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 37
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 38
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
Matching versions
Ruby-lang » URI » For Ruby
Versions up to, including, (<=) 0.10.0
cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*
Matching versions
Ruby-lang » URI » Version: 0.12.0 For Ruby
cpe:2.3:a:ruby-lang:uri:0.12.0:*:*:*:*:ruby:*:*
Matching versions
Ruby-lang » URI » Version: 0.10.1 For Ruby
cpe:2.3:a:ruby-lang:uri:0.10.1:*:*:*:*:ruby:*:*
Matching versions
Ruby-lang » URI » Version: 0.11.0 For Ruby
cpe:2.3:a:ruby-lang:uri:0.11.0:*:*:*:*:ruby:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-28755

EPSS FAQ

0.41%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 60 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-28755

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	3.9	1.4	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-14
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: Low
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: Low

CWE ids for CVE-2023-28755

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2023-28755

https://security.netapp.com/advisory/ntap-20230526-0003/

CVE-2023-28755 Ruby Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html

[SECURITY] [DLA 3408-1] jruby security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/

[SECURITY] Fedora 37 Update: ruby-3.1.4-175.fc37 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/

[SECURITY] Fedora 36 Update: ruby-3.1.4-175.fc36 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://github.com/ruby/uri/releases/

Releases · ruby/uri · GitHub
Release Notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/

[SECURITY] Fedora 37 Update: ruby-3.1.4-175.fc37 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/

[SECURITY] Fedora 38 Update: ruby-3.2.4-182.fc38 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://security.gentoo.org/glsa/202401-27

Ruby: Multiple vulnerabilities (GLSA 202401-27) — Gentoo security

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ/

[SECURITY] Fedora 39 Update: ruby-3.2.4-182.fc39 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/

[SECURITY] Fedora 38 Update: ruby-3.2.2-180.fc38 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/

CVE-2023-28755: ReDoS vulnerability in URI
Vendor Advisory
https://www.ruby-lang.org/en/downloads/releases/

Ruby Releases
Release Notes

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/

[SECURITY] Fedora 38 Update: ruby-3.2.2-180.fc38 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/

Ruby 3.2.0 Released
Release Notes

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/

[SECURITY] Fedora 36 Update: ruby-3.1.4-175.fc36 - package-announce - Fedora Mailing-Lists

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-28755

Products affected by CVE-2023-28755

Exploit prediction scoring system (EPSS) score for CVE-2023-28755

CVSS scores for CVE-2023-28755

CWE ids for CVE-2023-28755

References for CVE-2023-28755