Vulnerability Details : CVE-2023-36617
A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.
Products affected by CVE-2023-36617
- cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*
- cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-36617
0.89%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 74 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-36617
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2023-36617
-
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-36617
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/
[SECURITY] Fedora 38 Update: ruby-3.2.4-182.fc38 - package-announce - Fedora Mailing-Lists
-
https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/
CVE-2023-36617: ReDoS vulnerability in URIMitigation;Vendor Advisory
-
https://security.netapp.com/advisory/ntap-20230725-0002/
CVE-2023-36617 Ruby Vulnerability in NetApp Products | NetApp Product Security
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ/
[SECURITY] Fedora 39 Update: ruby-3.2.4-182.fc39 - package-announce - Fedora Mailing-Lists
Jump to