vulnerability
Amazon Linux 2023: CVE-2025-27221: Medium priority package update for ruby3.2
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 2 | (AV:L/AC:M/Au:N/C:P/I:N/A:N) | Mar 3, 2025 | Apr 15, 2025 | Jul 17, 2025 |
Severity
2
CVSS
(AV:L/AC:M/Au:N/C:P/I:N/A:N)
Published
Mar 3, 2025
Added
Apr 15, 2025
Modified
Jul 17, 2025
Description
In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.
A flaw was found in the URI ruby gem package, where userinfo leakage can occur in the uri gem. The methods URI#join, URI#merge, and URI#+ retained userinfo, such as user:password, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak can occur.
A flaw was found in the URI ruby gem package, where userinfo leakage can occur in the uri gem. The methods URI#join, URI#merge, and URI#+ retained userinfo, such as user:password, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak can occur.
Solutions
amazon-linux-2023-upgrade-ruby3-2amazon-linux-2023-upgrade-ruby3-2-bundled-gemsamazon-linux-2023-upgrade-ruby3-2-bundled-gems-debuginfoamazon-linux-2023-upgrade-ruby3-2-debuginfoamazon-linux-2023-upgrade-ruby3-2-debugsourceamazon-linux-2023-upgrade-ruby3-2-default-gemsamazon-linux-2023-upgrade-ruby3-2-develamazon-linux-2023-upgrade-ruby3-2-docamazon-linux-2023-upgrade-ruby3-2-libsamazon-linux-2023-upgrade-ruby3-2-libs-debuginfoamazon-linux-2023-upgrade-ruby3-2-rubygem-bigdecimalamazon-linux-2023-upgrade-ruby3-2-rubygem-bigdecimal-debuginfoamazon-linux-2023-upgrade-ruby3-2-rubygem-bundleramazon-linux-2023-upgrade-ruby3-2-rubygem-io-consoleamazon-linux-2023-upgrade-ruby3-2-rubygem-io-console-debuginfoamazon-linux-2023-upgrade-ruby3-2-rubygem-irbamazon-linux-2023-upgrade-ruby3-2-rubygem-jsonamazon-linux-2023-upgrade-ruby3-2-rubygem-json-debuginfoamazon-linux-2023-upgrade-ruby3-2-rubygem-minitestamazon-linux-2023-upgrade-ruby3-2-rubygem-power-assertamazon-linux-2023-upgrade-ruby3-2-rubygem-psychamazon-linux-2023-upgrade-ruby3-2-rubygem-psych-debuginfoamazon-linux-2023-upgrade-ruby3-2-rubygem-rakeamazon-linux-2023-upgrade-ruby3-2-rubygem-rbsamazon-linux-2023-upgrade-ruby3-2-rubygem-rbs-debuginfoamazon-linux-2023-upgrade-ruby3-2-rubygem-rdocamazon-linux-2023-upgrade-ruby3-2-rubygem-rexmlamazon-linux-2023-upgrade-ruby3-2-rubygem-rssamazon-linux-2023-upgrade-ruby3-2-rubygemsamazon-linux-2023-upgrade-ruby3-2-rubygems-develamazon-linux-2023-upgrade-ruby3-2-rubygem-test-unitamazon-linux-2023-upgrade-ruby3-2-rubygem-typeprof
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.