{"api_version":"1","generated_at":"2026-04-22T21:27:34+00:00","cve":"CVE-2023-28755","urls":{"html":"https://cve.report/CVE-2023-28755","api":"https://cve.report/api/cve/CVE-2023-28755.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-28755","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-28755"},"summary":{"title":"CVE-2023-28755","description":"A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2023-03-31 04:15:00","updated_at":"2024-01-24 05:15:00"},"problem_types":["CWE-1333"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/","name":"FEDORA-2023-f58d72c700","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 37 Update: ruby-3.1.4-175.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20230526-0003/","name":"https://security.netapp.com/advisory/ntap-20230526-0003/","refsource":"CONFIRM","tags":[],"title":"CVE-2023-28755 Ruby Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.ruby-lang.org/en/downloads/releases/","name":"https://www.ruby-lang.org/en/downloads/releases/","refsource":"MISC","tags":[],"title":"Ruby Releases","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/","name":"https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/","refsource":"MISC","tags":[],"title":"Ruby 3.2.0 Released","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/","name":"FEDORA-2023-a7be7ea1aa","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: ruby-3.1.4-175.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/","name":"FEDORA-2023-f58d72c700","refsource":"","tags":[],"title":"[SECURITY] Fedora 37 Update: ruby-3.1.4-175.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202401-27","name":"GLSA-202401-27","refsource":"","tags":[],"title":"Ruby: Multiple vulnerabilities (GLSA 202401-27) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html","name":"[debian-lts-announce] 20230430 [SECURITY] [DLA 3408-1] jruby security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3408-1] jruby security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/","name":"FEDORA-2023-a7be7ea1aa","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: ruby-3.1.4-175.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/ruby/uri/releases/","name":"https://github.com/ruby/uri/releases/","refsource":"MISC","tags":[],"title":"Releases · ruby/uri · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/","name":"https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/","refsource":"CONFIRM","tags":[],"title":"CVE-2023-28755: ReDoS vulnerability in URI","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/","name":"FEDORA-2023-6b924d3b75","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 38 Update: ruby-3.2.2-180.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/","name":"FEDORA-2023-6b924d3b75","refsource":"","tags":[],"title":"[SECURITY] Fedora 38 Update: ruby-3.2.2-180.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-28755","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28755","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"28755","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"28755","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"36","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"28755","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"28755","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"38","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"28755","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ruby-lang","cpe5":"uri","cpe6":"0.10.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"ruby","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"28755","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ruby-lang","cpe5":"uri","cpe6":"0.11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"ruby","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"28755","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ruby-lang","cpe5":"uri","cpe6":"0.12.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"ruby","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"28755","vulnerable":"1","versionEndIncluding":"0.10.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ruby-lang","cpe5":"uri","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"ruby","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-28755","qid":"160771","title":"Oracle Enterprise Linux Security Update for ruby:2.7 (ELSA-2023-3821)"},{"cve":"CVE-2023-28755","qid":"161185","title":"Oracle Enterprise Linux Security Update for ruby:2.5 (ELSA-2023-7025)"},{"cve":"CVE-2023-28755","qid":"161427","title":"Oracle Enterprise Linux Security Update for ruby:3.1 (ELSA-2024-1431)"},{"cve":"CVE-2023-28755","qid":"161454","title":"Oracle Enterprise Linux Security Update for ruby:3.1 (ELSA-2024-1576)"},{"cve":"CVE-2023-28755","qid":"181757","title":"Debian Security Update for jruby (DLA 3408-1)"},{"cve":"CVE-2023-28755","qid":"181830","title":"Debian Security Update for ruby2.5 (DLA 3447-1)"},{"cve":"CVE-2023-28755","qid":"199319","title":"Ubuntu Security Notification for Ruby Vulnerabilities (USN-6055-1)"},{"cve":"CVE-2023-28755","qid":"199350","title":"Ubuntu Security Notification for Ruby Vulnerabilities (USN-6087-1)"},{"cve":"CVE-2023-28755","qid":"199434","title":"Ubuntu Security Notification for Ruby Vulnerabilities (USN-6181-1)"},{"cve":"CVE-2023-28755","qid":"199461","title":"Ubuntu Security Notification for Ruby Vulnerabilities (USN-6219-1)"},{"cve":"CVE-2023-28755","qid":"241557","title":"Red Hat Update for rh-ruby27-ruby security (RHSA-2023:3291)"},{"cve":"CVE-2023-28755","qid":"241760","title":"Red Hat Update for ruby:2.7 security (RHSA-2023:3821)"},{"cve":"CVE-2023-28755","qid":"242449","title":"Red Hat Update for ruby:2.5 (RHSA-2023:7025)"},{"cve":"CVE-2023-28755","qid":"243097","title":"Red Hat Update for ruby:3.1 security (RHSA-2024:1431)"},{"cve":"CVE-2023-28755","qid":"243151","title":"Red Hat Update for ruby:3.1 security (RHSA-2024:1576)"},{"cve":"CVE-2023-28755","qid":"283908","title":"Fedora Security Update for ruby (FEDORA-2023-a7be7ea1aa)"},{"cve":"CVE-2023-28755","qid":"283913","title":"Fedora Security Update for ruby (FEDORA-2023-f58d72c700)"},{"cve":"CVE-2023-28755","qid":"284200","title":"Fedora Security Update for ruby (FEDORA-2023-6b924d3b75)"},{"cve":"CVE-2023-28755","qid":"296100","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 58.144.3 Missing (CPUAPR2023)"},{"cve":"CVE-2023-28755","qid":"355241","title":"Amazon Linux Security Advisory for ruby3.2 : ALAS2023-2023-158"},{"cve":"CVE-2023-28755","qid":"356299","title":"Amazon Linux Security Advisory for ruby : ALASRUBY3.0-2023-001"},{"cve":"CVE-2023-28755","qid":"378703","title":"Alibaba Cloud Linux Security Update for ruby:2.7 (ALINUX3-SA-2023:0080)"},{"cve":"CVE-2023-28755","qid":"502701","title":"Alpine Linux Security Update for ruby"},{"cve":"CVE-2023-28755","qid":"502702","title":"Alpine Linux Security Update for ruby"},{"cve":"CVE-2023-28755","qid":"502703","title":"Alpine Linux Security Update for ruby"},{"cve":"CVE-2023-28755","qid":"504380","title":"Alpine Linux Security Update for ruby"},{"cve":"CVE-2023-28755","qid":"673240","title":"EulerOS Security Update for ruby (EulerOS-SA-2023-2366)"},{"cve":"CVE-2023-28755","qid":"673247","title":"EulerOS Security Update for ruby (EulerOS-SA-2023-2392)"},{"cve":"CVE-2023-28755","qid":"673497","title":"EulerOS Security Update for ruby (EulerOS-SA-2023-2708)"},{"cve":"CVE-2023-28755","qid":"673836","title":"EulerOS Security Update for ruby (EulerOS-SA-2023-2666)"},{"cve":"CVE-2023-28755","qid":"691106","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for rubygem (9b60bba1-cf18-11ed-bd44-080027f5fec9)"},{"cve":"CVE-2023-28755","qid":"710844","title":"Gentoo Linux Ruby Multiple Vulnerabilities (GLSA 202401-27)"},{"cve":"CVE-2023-28755","qid":"755145","title":"SUSE Enterprise Linux Security Update for ruby2.5 (SUSE-SU-2023:4176-1)"},{"cve":"CVE-2023-28755","qid":"941165","title":"AlmaLinux Security Update for ruby:2.7 (ALSA-2023:3821)"},{"cve":"CVE-2023-28755","qid":"941437","title":"AlmaLinux Security Update for ruby:2.5 (ALSA-2023:7025)"},{"cve":"CVE-2023-28755","qid":"941625","title":"AlmaLinux Security Update for ruby:3.1 (ALSA-2024:1431)"},{"cve":"CVE-2023-28755","qid":"941633","title":"AlmaLinux Security Update for ruby:3.1 (ALSA-2024:1576)"},{"cve":"CVE-2023-28755","qid":"961138","title":"Rocky Linux Security Update for ruby:3.1 (RLSA-2024:1431)"},{"cve":"CVE-2023-28755","qid":"961149","title":"Rocky Linux Security Update for ruby:3.1 (RLSA-2024:1576)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2023-28755","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/","refsource":"MISC","name":"https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/"},{"url":"https://www.ruby-lang.org/en/downloads/releases/","refsource":"MISC","name":"https://www.ruby-lang.org/en/downloads/releases/"},{"url":"https://github.com/ruby/uri/releases/","refsource":"MISC","name":"https://github.com/ruby/uri/releases/"},{"refsource":"CONFIRM","name":"https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/","url":"https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/"},{"refsource":"FEDORA","name":"FEDORA-2023-6b924d3b75","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/"},{"refsource":"FEDORA","name":"FEDORA-2023-a7be7ea1aa","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/"},{"refsource":"FEDORA","name":"FEDORA-2023-f58d72c700","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/"},{"refsource":"MLIST","name":"[debian-lts-announce] 20230430 [SECURITY] [DLA 3408-1] jruby security update","url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20230526-0003/","url":"https://security.netapp.com/advisory/ntap-20230526-0003/"}]}},"nvd":{"publishedDate":"2023-03-31 04:15:00","lastModifiedDate":"2024-01-24 05:15:00","problem_types":["CWE-1333"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ruby-lang:uri:0.12.0:*:*:*:*:ruby:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ruby-lang:uri:0.10.1:*:*:*:*:ruby:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*","versionEndIncluding":"0.10.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ruby-lang:uri:0.11.0:*:*:*:*:ruby:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}