CVE-2023-36617

Name of the Vulnerable Software and Affected Versions URI versions prior to 0.12.2 URI version 0.10.3 is a fixed version, implying versions prior to 0.10.3 and between 0.10.3 and 0.12.2 are vulnerable, but for clarity and conciseness, we focus on the range prior to 0.12.2 as the primary affected range.

Description A ReDoS issue was discovered in the URI component for Ruby, related to the mishandling of invalid URLs containing specific characters by the URI parser. This leads to an increase in execution time for parsing strings to URI objects, particularly affecting rfc2396 parser.rb and rfc3986 parser.rb. The issue exists due to an incomplete fix for a previous problem. Exploitation of this vulnerability can allow a remote attacker to cause a denial of service.

Recommendations For versions prior to 0.12.2, update to version 0.12.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the rfc2396 parser.rb and rfc3986 parser.rb components until a patch is applied. Avoid using the vulnerable URI parser for handling untrusted or potentially malicious URLs until the issue is resolved.