CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-27221 – Ubuntu Security Notice USN-7418-1
https://notcve.org/view.php?id=CVE-2025-27221
03 Mar 2025 — In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host. It was discovered that Ruby incorrectly handled parsing of an XML document that has specific XML characters in an attribute value using REXML gem. An attacker could use this issue to cause Ruby to crash, resulting in a denial of service. This issue only affected in Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, a... • https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.yml • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-28628 – `authority-regex` returns the wrong authority in lambdaisland/uri
https://notcve.org/view.php?id=CVE-2023-28628
27 Mar 2023 — lambdaisland/uri is a pure Clojure/ClojureScript URI library. In versions prior to 1.14.120 `authority-regex` allows an attacker to send malicious URLs to be parsed by the `lambdaisland/uri` and return the wrong authority. This issue is similar to but distinct from CVE-2020-8910. The regex in question doesn't handle the backslash (`\`) character in the username correctly, leading to a wrong output. ex. a payload of `https://example.com\\@google.com` would return that the host is `google.com`, but the correc... • https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') CWE-706: Use of Incorrectly-Resolved Name or Reference •