Translate "CVE-2023-36617: ReDoS vulnerability in URI" (ko) #3094
Next
Next commit
cp {en,ko}/news/_posts/2023-06-29-redos-in-uri-CVE-2023-36617.md
- Loading branch information
commit c66bce4369e374449b4476022b08699d297460ee
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| --- | ||
| layout: news_post | ||
| title: "CVE-2023-36617: ReDoS vulnerability in URI" | ||
| author: "hsbt" | ||
| translator: | ||
| date: 2023-06-29 01:00:00 +0000 | ||
| tags: security | ||
| lang: en | ||
| --- | ||
|
|
||
| We have released the uri gem version 0.12.2, 0.10.3 that has a security fix for a ReDoS vulnerability. | ||
| This vulnerability has been assigned the CVE identifier [CVE-2023-36617](https://www.cve.org/CVERecord?id=CVE-2023-36617). | ||
|
|
||
| ## Details | ||
|
|
||
| A ReDoS issue was discovered in the URI component through 0.12.1 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. | ||
|
|
||
| NOTE: this issue exists because of an incomplete fix for [CVE-2023-28755](https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/). | ||
|
|
||
| The `uri` gem version 0.12.1 and all versions prior 0.12.1 are vulnerable for this vulnerability. | ||
|
|
||
| ## Recommended action | ||
|
|
||
| We recommend to update the `uri` gem to 0.12.2. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead: | ||
|
|
||
| * For Ruby 3.0: Update to `uri` 0.10.3 | ||
| * For Ruby 3.1 and 3.2: Update to `uri` 0.12.2 | ||
|
|
||
| You can use `gem update uri` to update it. If you are using bundler, please add `gem "uri", ">= 0.12.2"` (or other version mentioned above) to your `Gemfile`. | ||
|
|
||
| ## Affected versions | ||
|
|
||
| * uri gem 0.12.1 or before | ||
|
|
||
| ## Credits | ||
|
|
||
| Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for discovering this issue. | ||
|
|
||
| Thanks to [nobu](https://github.com/nobu) for fixing this issue. | ||
|
|
||
| ## History | ||
|
|
||
| * Originally published at 2023-06-29 01:00:00 (UTC) | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.