CVE-2023-36617
First published: Thu Jun 29 2023(Updated: )
A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with `rfc2396_parser.rb` and `rfc3986_parser.rb`. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version. [The Ruby advisory recommends](https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/) updating the uri gem to 0.12.2. In order to ensure compatibility with the bundled version in older Ruby series, you may update as follows instead: - For Ruby 3.0: Update to uri 0.10.3 - For Ruby 3.1 and 3.2: Update to uri 0.12.2. You can use gem update uri to update it. If you are using bundler, please add gem `uri`, `>= 0.12.2` (or other version mentioned above) to your Gemfile.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ruby-lang Uri | <0.10.3 | |
| Ruby-lang Uri | >=0.11.0<0.12.2 | |
| rubygems/uri | <0.10.0.3 | 0.10.0.3 |
| rubygems/uri | >=0.11.0<0.11.2 | 0.11.2 |
| rubygems/uri | >=0.12.0<0.12.2 | 0.12.2 |
| rubygems/uri | >=0.10.1<0.10.3 | 0.10.3 |
| redhat/rubygem-uri | <0.12.2 | 0.12.2 |
| redhat/rubygem-uri | <0.10.3 | 0.10.3 |
| debian/jruby | 9.3.9.0+ds-8 9.4.8.0+ds-1 | |
| debian/ruby2.7 | <=2.7.4-1+deb11u1 | 2.7.4-1+deb11u2 |
| debian/ruby3.1 | 3.1.2-7+deb12u1 3.1.2-8.4 | |
| debian/rubygems | 3.2.5-2 3.3.15-2 3.4.20-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security.netapp.com/advisory/ntap-20230725-0002/
- https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ/
- https://nvd.nist.gov/vuln/detail/CVE-2023-36617
- https://github.com/ruby/uri/commit/3cd938df20db26c9439e9f681aadfb9bbeb6d1c0
- https://github.com/ruby/uri/commit/4d02315181d8a485496f1bb107a6ab51d6f3a35f
- https://github.com/ruby/uri/commit/7e33934c91b7f8f3ea7b7a4258b468e19f636bc3
- https://github.com/ruby/uri/commit/ba36c8a3ecad8c16dd3e60a6da9abd768206c8fa
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2023-36617.yml
- https://github.com/ruby/uri/commit/05b1e7d026b886e65a60ee35625229da9ec220bb
- https://github.com/ruby/uri/commit/38bf797c488bcb4a37fb322bfa84977981863ec6
- https://github.com/ruby/uri/commit/70794abc162bb15bb934713b5669713d6700d35c
- https://github.com/ruby/uri/commit/9a8e0cc03da964054c2a4ea26b59c53c3bae4921
- https://security.netapp.com/advisory/ntap-20230725-0002
- https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ
- https://github.com/advisories/GHSA-hww2-5g85-429m (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/
- https://launchpad.net/bugs/cve/CVE-2023-36617
- https://access.redhat.com/security/cve/CVE-2023-28755
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2221559
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2221560
- https://access.redhat.com/errata/RHSA-2024:1431
- https://access.redhat.com/errata/RHSA-2024:1576
- https://access.redhat.com/errata/RHSA-2024:4499
- https://bugzilla.redhat.com/show_bug.cgi?id=2218614
- https://github.com/ruby/uri/commit/9010ee2536adda10a0555ae1ed6fe2f5808e6bf1
- https://github.com/ruby/uri/commit/9d7bcef1e6ad23c9c6e4932f297fb737888144c8
- https://security-tracker.debian.org/tracker/CVE-2023-36617
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36617
- https://ubuntu.com/security/CVE-2023-36617
Frequently Asked Questions
What is CVE-2023-36617?
CVE-2023-36617 is a ReDoS vulnerability in the URI component before version 0.12.2 for Ruby.
How does the URI parser mishandle invalid URLs?
The URI parser mishandles invalid URLs that have specific characters, leading to an increase in execution time.
What is the severity of CVE-2023-36617?
CVE-2023-36617 has a severity rating of medium (5.3).
What is the CWE ID for CVE-2023-36617?
The CWE ID for CVE-2023-36617 is 1333.
How can I fix CVE-2023-36617?
To fix CVE-2023-36617, update the URI component to version 0.12.2 or later for Ruby.
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/author
- agent/remedy
- agent/severity
- agent/description
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-hww2-5g85-429m
- alias/CVE-2023-36617
- collector/nvd-cve
- collector/github-advisory
- collector/launchpad-cve
- source/Launchpad
- agent/event
- agent/references
- agent/tags
- collector/redhat-bugzilla
- source/Red Hat
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- vendor/ruby-lang
- canonical/ruby-lang uri
- version/ruby-lang uri/0.11.0
- package-manager/rubygems
- package-manager/redhat
- package-manager/debian