{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-36617", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T16:52:54.187Z", "dateReserved": "2023-06-25T00:00:00", "datePublished": "2023-06-29T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-04T03:06:00.613164"}, "descriptions": [{"lang": "en", "value": "A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/"}, {"url": "https://security.netapp.com/advisory/ntap-20230725-0002/"}, {"name": "FEDORA-2024-31cac8b8ec", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ/"}, {"name": "FEDORA-2024-48bdd3abbf", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:52:54.187Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230725-0002/", "tags": ["x_transferred"]}, {"name": "FEDORA-2024-31cac8b8ec", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ/"}, {"name": "FEDORA-2024-48bdd3abbf", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "06CEBB34-129C-4B37-97B8-AB07821FEF47", "versionEndExcluding": "0.10.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "8975D88A-EAD0-4A3F-AB3E-1F768AAFFFBD", "versionEndExcluding": "0.12.2", "versionStartIncluding": "0.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version."}], "id": "CVE-2023-36617", "lastModified": "2024-05-04T03:15:06.833", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-06-29T13:15:09.583", "references": [{"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ/"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20230725-0002/"}, {"source": "cve@mitre.org", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:1431", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "ruby:3.1-8090020240311122605.a75119d5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:4499", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "ruby:2.5-8100020240627152904.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-07-11T00:00:00Z"}, {"advisory": "RHSA-2024:1576", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "ruby:3.1-9030020240320163942.9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-01T00:00:00Z"}], "bugzilla": {"description": "rubygem-uri: ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755", "id": "2218614", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218614"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-185", "details": ["A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.", "A flaw was found in the rubygem URI. The URI parser mishandles invalid URLs that have specific characters, which causes an increase in execution time parsing strings to URI objects. This issue may result in a regular expression denial of service (ReDoS)."], "name": "CVE-2023-36617", "package_state": [{"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Will not fix", "package_name": "3scale-amp-system-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "ruby:3.0/ruby", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "ruby", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "puppet-agent", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "ruby", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "rubygem-bundler", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-ruby30-ruby", "product_name": "Red Hat Software Collections"}], "public_date": "2023-06-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-36617\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-36617\nhttps://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617"], "statement": "This vulnerability exists due to an incomplete fix for CVE-2023-28755 in upstream.", "threat_severity": "Moderate", "upstream_fix": "rubygem-uri 0.12.2, rubygem-uri 0.10.3"}