CVE-2023-36617Regex Denial of Service in URI

CWE-1333Regex Denial of ServiceCWE-185Incorrect Regular Expression11 documents8 sources
Severity
5.3MEDIUMNVD
EPSS
0.9%
top 24.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
8
Ruby-lang URIDebian JrubyDebian Ruby2.7+5 more
Timeline
PublishedJun 29
Latest updateSep 15

Description

A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages9 packages

debiandebian/jruby< ruby2.7 2.7.4-1+deb11u2 (bullseye)
NVDruby-lang/uri0.11.00.12.2+1
RubyGemsruby-lang/uri0.10.10.10.3+3
debiandebian/ruby2.7< ruby2.7 2.7.4-1+deb11u2 (bullseye)
debiandebian/ruby3.1< ruby2.7 2.7.4-1+deb11u2 (bullseye)

🔴Vulnerability Details

4
OSV
ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.1 vulnerabilities2023-07-12
OSV
URI gem has ReDoS vulnerability2023-06-29
OSV
CVE-2023-36617: A ReDoS issue was discovered in the URI component before 02023-06-29
GHSA
URI gem has ReDoS vulnerability2023-06-29

📋Vendor Advisories

6
Ubuntu
RubyGems vulnerability2025-09-15
CISA ICS
Siemens SCALANCE XCM-/XRM-3002024-02-15
Ubuntu
Ruby vulnerabilities2023-07-12
Red Hat
rubygem-uri: ReDoS vulnerability - upstream's incomplete fix for CVE-2023-287552023-06-29
Microsoft
A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strin2023-06-13