{"api_version":"1","generated_at":"2026-04-22T23:08:34+00:00","cve":"CVE-2023-36617","urls":{"html":"https://cve.report/CVE-2023-36617","api":"https://cve.report/api/cve/CVE-2023-36617.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-36617","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-36617"},"summary":{"title":"CVE-2023-36617","description":"A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2023-06-29 13:15:00","updated_at":"2023-07-25 15:15:00"},"problem_types":["CWE-1333"],"metrics":[],"references":[{"url":"https://security.netapp.com/advisory/ntap-20230725-0002/","name":"https://security.netapp.com/advisory/ntap-20230725-0002/","refsource":"CONFIRM","tags":[],"title":"CVE-2023-36617 Ruby Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/","name":"https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/","refsource":"MISC","tags":[],"title":"CVE-2023-36617: ReDoS vulnerability in URI","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-36617","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36617","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"36617","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ruby-lang","cpe5":"uri","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"ruby","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-36617","qid":"161427","title":"Oracle Enterprise Linux Security Update for ruby:3.1 (ELSA-2024-1431)"},{"cve":"CVE-2023-36617","qid":"161454","title":"Oracle Enterprise Linux Security Update for ruby:3.1 (ELSA-2024-1576)"},{"cve":"CVE-2023-36617","qid":"199461","title":"Ubuntu Security Notification for Ruby Vulnerabilities (USN-6219-1)"},{"cve":"CVE-2023-36617","qid":"243097","title":"Red Hat Update for ruby:3.1 security (RHSA-2024:1431)"},{"cve":"CVE-2023-36617","qid":"243151","title":"Red Hat Update for ruby:3.1 security (RHSA-2024:1576)"},{"cve":"CVE-2023-36617","qid":"673375","title":"EulerOS Security Update for ruby (EulerOS-SA-2023-2868)"},{"cve":"CVE-2023-36617","qid":"673380","title":"EulerOS Security Update for ruby (EulerOS-SA-2023-2800)"},{"cve":"CVE-2023-36617","qid":"673861","title":"EulerOS Security Update for ruby (EulerOS-SA-2023-2824)"},{"cve":"CVE-2023-36617","qid":"673984","title":"EulerOS Security Update for ruby (EulerOS-SA-2023-2851)"},{"cve":"CVE-2023-36617","qid":"941625","title":"AlmaLinux Security Update for ruby:3.1 (ALSA-2024:1431)"},{"cve":"CVE-2023-36617","qid":"941633","title":"AlmaLinux Security Update for ruby:3.1 (ALSA-2024:1576)"},{"cve":"CVE-2023-36617","qid":"961138","title":"Rocky Linux Security Update for ruby:3.1 (RLSA-2024:1431)"},{"cve":"CVE-2023-36617","qid":"961149","title":"Rocky Linux Security Update for ruby:3.1 (RLSA-2024:1576)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2023-36617","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/","url":"https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20230725-0002/","url":"https://security.netapp.com/advisory/ntap-20230725-0002/"}]}},"nvd":{"publishedDate":"2023-06-29 13:15:00","lastModifiedDate":"2023-07-25 15:15:00","problem_types":["CWE-1333"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*","versionStartIncluding":"0.11.0","versionEndExcluding":"0.12.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ruby-lang:uri:*:*:*:*:*:ruby:*:*","versionEndExcluding":"0.10.3","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}