Initial post for CVE-2023-36617

Author: hsbt

en/news/_posts/2023-06-29-redos-in-uri-CVE-2023-36617.md

@@ -0,0 +1,43 @@
+---
+layout: news_post
+title: "CVE-2023-36617: ReDoS vulnerability in URI"
+author: "hsbt"
+translator:
+date: 2023-06-29 01:00:00 +0000
+tags: security
+lang: en
+---
+
+We have released the uri gem version 0.12.1, 0.10.2 that has a security fix for a ReDoS vulnerability.
+This vulnerability has been assigned the CVE identifier [CVE-2023-36617](https://www.cve.org/CVERecord?id=CVE-2023-36617).
+
+## Details
+
+A ReDoS issue was discovered in the URI component through 0.12.1 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb.
+
+NOTE: this issue exists becuse of an incomplete fix for [CVE-2023-28755](https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/).
+
+The `uri` gem version 0.12.1 and all versions prior 0.12.1 are vulnerable for this vulnerability.
+
+## Recommended action
+
+We recommend to update the `uri` gem to 0.12.2. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:
+
+* For Ruby 3.0: Update to `uri` 0.10.2
+* For Ruby 3.1 and 3.2: Update to `uri` 0.12.2
+
+You can use `gem update uri` to update it. If you are using bundler, please add `gem "uri", ">= 0.12.2"` (or other version mentioned above) to your `Gemfile`.
+
+## Affected versions
+
+* uri gem 0.12.1 or before
+
+## Credits
+
+Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for discovering this issue.
+
+Thanks to [nobu](https://github.com/nobu) for fixing this issue.
+
+## History
+
+* Originally published at 2023-06-29 01:00:00 (UTC)