VulnerableCode Package Details - pkg:deb/debian/rubygems@3.3.15-2%2Bdeb12u1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-qfe5-w7ge-skfa	A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.	CVE-2023-28755 GHSA-hv5j-3h9f-99c2
VCID-ug6n-hxax-xfgp	URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+ There is a possibility for userinfo leakage by in the uri gem. This vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem. ## Details The methods `URI#join`, `URI#merge`, and `URI#+` retained userinfo, such as `user:password`, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur. Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later. ## Affected versions uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2. ## Credits Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue. Also thanks to nobu for additional fixes of this vulnerability.	CVE-2025-27221 GHSA-22h5-pq3x-2gf2

Vulnerability

Summary

Aliases

VCID-qfe5-w7ge-skfa

A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

CVE-2023-28755
GHSA-hv5j-3h9f-99c2

VCID-ug6n-hxax-xfgp

URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+ There is a possibility for userinfo leakage by in the uri gem. This vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem. ## Details The methods `URI#join`, `URI#merge`, and `URI#+` retained userinfo, such as `user:password`, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur. Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later. ## Affected versions uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2. ## Credits Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue. Also thanks to nobu for additional fixes of this vulnerability.

CVE-2025-27221
GHSA-22h5-pq3x-2gf2

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T18:41:46.858241+00:00	Debian Importer	Fixing	VCID-qfe5-w7ge-skfa	https://security-tracker.debian.org/tracker/data/json	37.0.0
2025-07-03T16:27:36.202357+00:00	Debian Importer	Fixing	VCID-ug6n-hxax-xfgp	https://security-tracker.debian.org/tracker/data/json	37.0.0
2025-07-01T16:10:14.343095+00:00	Debian Importer	Fixing	VCID-qfe5-w7ge-skfa	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-07-01T15:32:12.041058+00:00	Debian Importer	Fixing	VCID-ug6n-hxax-xfgp	https://security-tracker.debian.org/tracker/data/json	36.1.3