Moderate severityNVD Advisory· Published Jun 29, 2023· Updated Nov 4, 2025
CVE-2023-36617
CVE-2023-36617
Description
A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
uriRubyGems | >= 0.10.1, < 0.10.3 | 0.10.3 |
uriRubyGems | >= 0.12.0, < 0.12.2 | 0.12.2 |
uriRubyGems | >= 0.11.0, < 0.11.2 | 0.11.2 |
uriRubyGems | < 0.10.0.3 | 0.10.0.3 |
Affected products
91- osv-coords90 versionspkg:apk/chainguard/jruby-9.4pkg:apk/chainguard/jruby-9.4-default-rubypkg:apk/chainguard/kube-fluentd-operatorpkg:apk/chainguard/kube-fluentd-operator-compatpkg:apk/chainguard/kube-fluentd-operator-default-configpkg:apk/chainguard/kube-fluentd-operator-oci-entrypointpkg:apk/chainguard/logstashpkg:apk/chainguard/logstash-compatpkg:apk/chainguard/logstash-env2yamlpkg:apk/chainguard/logstash-jre-bcfipspkg:apk/chainguard/logstash-jre-bcfips-compatpkg:apk/chainguard/logstash-jre-bcfips-env2yamlpkg:apk/chainguard/logstash-jre-bcfips-with-output-opensearchpkg:apk/chainguard/logstash-with-output-opensearchpkg:apk/chainguard/ruby-3.0pkg:apk/chainguard/ruby-3.0-devpkg:apk/chainguard/ruby-3.0-docpkg:apk/chainguard/ruby-3.1pkg:apk/chainguard/ruby-3.1-basepkg:apk/chainguard/ruby-3.1-base-devpkg:apk/chainguard/ruby-3.1-devpkg:apk/chainguard/ruby-3.1-docpkg:apk/chainguard/ruby-3.2pkg:apk/chainguard/ruby-3.2-basepkg:apk/chainguard/ruby-3.2-base-devpkg:apk/chainguard/ruby-3.2-devpkg:apk/chainguard/ruby-3.2-docpkg:apk/wolfi/jruby-9.4pkg:apk/wolfi/jruby-9.4-default-rubypkg:apk/wolfi/kube-fluentd-operatorpkg:apk/wolfi/kube-fluentd-operator-compatpkg:apk/wolfi/kube-fluentd-operator-default-configpkg:apk/wolfi/kube-fluentd-operator-oci-entrypointpkg:apk/wolfi/logstashpkg:apk/wolfi/logstash-compatpkg:apk/wolfi/logstash-env2yamlpkg:apk/wolfi/logstash-with-output-opensearchpkg:apk/wolfi/ruby-3.0pkg:apk/wolfi/ruby-3.0-devpkg:apk/wolfi/ruby-3.0-docpkg:apk/wolfi/ruby-3.1pkg:apk/wolfi/ruby-3.1-basepkg:apk/wolfi/ruby-3.1-base-devpkg:apk/wolfi/ruby-3.1-devpkg:apk/wolfi/ruby-3.1-docpkg:apk/wolfi/ruby-3.2pkg:apk/wolfi/ruby-3.2-basepkg:apk/wolfi/ruby-3.2-base-devpkg:apk/wolfi/ruby-3.2-devpkg:apk/wolfi/ruby-3.2-docpkg:gem/uripkg:rpm/almalinux/rubypkg:rpm/almalinux/ruby-bundled-gemspkg:rpm/almalinux/ruby-default-gemspkg:rpm/almalinux/ruby-develpkg:rpm/almalinux/ruby-docpkg:rpm/almalinux/rubygem-abrtpkg:rpm/almalinux/rubygem-abrt-docpkg:rpm/almalinux/rubygem-bigdecimalpkg:rpm/almalinux/rubygem-bsonpkg:rpm/almalinux/rubygem-bson-docpkg:rpm/almalinux/rubygem-bundlerpkg:rpm/almalinux/rubygem-bundler-docpkg:rpm/almalinux/rubygem-did_you_meanpkg:rpm/almalinux/rubygem-io-consolepkg:rpm/almalinux/rubygem-irbpkg:rpm/almalinux/rubygem-jsonpkg:rpm/almalinux/rubygem-minitestpkg:rpm/almalinux/rubygem-mongopkg:rpm/almalinux/rubygem-mongo-docpkg:rpm/almalinux/rubygem-mysql2pkg:rpm/almalinux/rubygem-mysql2-docpkg:rpm/almalinux/rubygem-net-telnetpkg:rpm/almalinux/rubygem-opensslpkg:rpm/almalinux/rubygem-pgpkg:rpm/almalinux/rubygem-pg-docpkg:rpm/almalinux/rubygem-power_assertpkg:rpm/almalinux/rubygem-psychpkg:rpm/almalinux/rubygem-rakepkg:rpm/almalinux/rubygem-rbspkg:rpm/almalinux/rubygem-rdocpkg:rpm/almalinux/rubygem-rexmlpkg:rpm/almalinux/rubygem-rsspkg:rpm/almalinux/rubygemspkg:rpm/almalinux/rubygems-develpkg:rpm/almalinux/rubygem-test-unitpkg:rpm/almalinux/rubygem-typeprofpkg:rpm/almalinux/rubygem-xmlrpcpkg:rpm/almalinux/ruby-irbpkg:rpm/almalinux/ruby-libs
< 9.4.5.0-r1+ 89 more
- (no CPE)range: < 9.4.5.0-r1
- (no CPE)range: < 9.4.5.0-r1
- (no CPE)range: < 1.18.2-r33
- (no CPE)range: < 1.18.2-r33
- (no CPE)range: < 1.18.2-r33
- (no CPE)range: < 1.18.2-r33
- (no CPE)range: < 8.15.0-r0
- (no CPE)range: < 8.15.0-r0
- (no CPE)range: < 8.15.0-r0
- (no CPE)range: < 8.15.0-r0
- (no CPE)range: < 8.15.0-r0
- (no CPE)range: < 8.15.0-r0
- (no CPE)range: < 8.15.0-r0
- (no CPE)range: < 8.15.0-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.1.4-r2
- (no CPE)range: < 3.1.4-r2
- (no CPE)range: < 3.1.4-r2
- (no CPE)range: < 3.1.4-r2
- (no CPE)range: < 3.1.4-r2
- (no CPE)range: < 3.2.2-r2
- (no CPE)range: < 3.2.2-r2
- (no CPE)range: < 3.2.2-r2
- (no CPE)range: < 3.2.2-r2
- (no CPE)range: < 3.2.2-r2
- (no CPE)range: < 9.4.5.0-r1
- (no CPE)range: < 9.4.5.0-r1
- (no CPE)range: < 1.18.2-r33
- (no CPE)range: < 1.18.2-r33
- (no CPE)range: < 1.18.2-r33
- (no CPE)range: < 1.18.2-r33
- (no CPE)range: < 8.15.0-r0
- (no CPE)range: < 8.15.0-r0
- (no CPE)range: < 8.15.0-r0
- (no CPE)range: < 8.15.0-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.1.4-r2
- (no CPE)range: < 3.1.4-r2
- (no CPE)range: < 3.1.4-r2
- (no CPE)range: < 3.1.4-r2
- (no CPE)range: < 3.1.4-r2
- (no CPE)range: < 3.2.2-r2
- (no CPE)range: < 3.2.2-r2
- (no CPE)range: < 3.2.2-r2
- (no CPE)range: < 3.2.2-r2
- (no CPE)range: < 3.2.2-r2
- (no CPE)range: >= 0.10.1, < 0.10.3
- (no CPE)range: < 3.1.4-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 3.1.4-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 3.1.4-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 3.1.4-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 3.1.4-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 0.4.0-1.module_el8.7.0+3304+9392e77f
- (no CPE)range: < 0.4.0-1.module_el8.7.0+3304+9392e77f
- (no CPE)range: < 3.1.1-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 4.3.0-2.module_el8.5.0+2625+ec418553
- (no CPE)range: < 4.3.0-2.module_el8.5.0+2625+ec418553
- (no CPE)range: < 2.3.26-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 1.16.1-4.module_el8.10.0+3871+342e2c2f
- (no CPE)range: < 1.2.0-112.module_el8.10.0+3871+342e2c2f
- (no CPE)range: < 0.5.11-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 1.4.1-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 2.6.1-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 5.15.0-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 2.5.1-2.module_el8.5.0+2625+ec418553
- (no CPE)range: < 2.5.1-2.module_el8.5.0+2625+ec418553
- (no CPE)range: < 0.5.3-3.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 0.5.3-3.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 0.1.1-112.module_el8.10.0+3871+342e2c2f
- (no CPE)range: < 2.1.2-112.module_el8.10.0+3871+342e2c2f
- (no CPE)range: < 1.3.2-1.module_el8.7.0+3304+9392e77f
- (no CPE)range: < 1.3.2-1.module_el8.7.0+3304+9392e77f
- (no CPE)range: < 2.0.1-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 4.0.4-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 13.0.6-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 2.7.0-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 6.4.0-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 3.2.5-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 0.2.9-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 3.3.26-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 3.3.26-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 3.5.3-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 0.21.3-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 0.3.0-112.module_el8.10.0+3871+342e2c2f
- (no CPE)range: < 2.5.9-112.module_el8.10.0+3871+342e2c2f
- (no CPE)range: < 3.1.4-142.module_el8.9.0+3746+91b8233a
Patches
Vulnerability mechanics
References
21- github.com/advisories/GHSA-hww2-5g85-429mghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2023-36617ghsaADVISORY
- github.com/ruby/uri/commit/05b1e7d026b886e65a60ee35625229da9ec220bbghsaWEB
- github.com/ruby/uri/commit/38bf797c488bcb4a37fb322bfa84977981863ec6ghsaWEB
- github.com/ruby/uri/commit/3cd938df20db26c9439e9f681aadfb9bbeb6d1c0ghsaWEB
- github.com/ruby/uri/commit/4d02315181d8a485496f1bb107a6ab51d6f3a35fghsaWEB
- github.com/ruby/uri/commit/70794abc162bb15bb934713b5669713d6700d35cghsaWEB
- github.com/ruby/uri/commit/7e33934c91b7f8f3ea7b7a4258b468e19f636bc3ghsaWEB
- github.com/ruby/uri/commit/9a8e0cc03da964054c2a4ea26b59c53c3bae4921ghsaWEB
- github.com/ruby/uri/commit/ba36c8a3ecad8c16dd3e60a6da9abd768206c8faghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2023-36617.ymlghsaWEB
- lists.debian.org/debian-lts-announce/2024/09/msg00000.htmlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXFghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXFghsaWEB
- security.netapp.com/advisory/ntap-20230725-0002ghsaWEB
- www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617ghsaWEB
- security.netapp.com/advisory/ntap-20230725-0002/mitre
- www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/mitre
News mentions
0No linked articles in our index yet.