=====================================================================

                              CERT-Renater

                   Note d'Information No. 2023/VULN138

_____________________________________________________________________

DATE                : 04/04/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running uri gem versions prior to
                      0.12.1, 0.11.1, 0.10.2, 0.10.0.1.

=====================================================================
https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/
_____________________________________________________________________


CVE-2023-28755: ReDoS vulnerability in URI

Posted by hsbt on 28 Mar 2023

We have released the uri gem version 0.12.1, 0.11.1, 0.10.2 and
0.10.0.1 that has a security fix for a ReDoS vulnerability. This
vulnerability has been assigned the CVE identifier CVE-2023-28755.


Details

A ReDoS issue was discovered in the URI component. The URI parser
mishandles invalid URLs that have specific characters. It causes
an increase in execution time for parsing strings to URI objects.

The uri gem version 0.12.0, 0.11.0, 0.10.1, 0.10.0 and all versions
prior 0.10.0 are vulnerable for this vulnerability.


Recommended action

We recommend to update the uri gem to 0.12.1. In order to ensure
compatibility with bundled version in older Ruby series, you may
update as follows instead:

     For Ruby 2.7: Update to uri 0.10.0.1
     For Ruby 3.0: Update to uri 0.10.2
     For Ruby 3.1: Update to uri 0.11.1
     For Ruby 3.2: Update to uri 0.12.1

You can use gem update uri to update it. If you are using bundler,
please add gem "uri", ">= 0.12.1" (or other version mentioned above) to 
your Gemfile.


Affected versions

     uri gem 0.12.0
     uri gem 0.11.0
     uri gem 0.10.1
     uri gem 0.10.0 or before


Credits

Thanks to Dominic Couture for discovering this issue.


History

     Originally published at 2023-03-28 01:00:00 (UTC)
     Update Affected versions at 2023-03-28 02:00:00 (UTC)


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================