CVE-2025-27221 (Low) detected in uri-1.0.2.gem #2974
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2025-27221 - Low Severity Vulnerability
URI is a module providing classes to handle Uniform Resource Identifiers
Library home page: https://rubygems.org/gems/uri-1.0.2.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /vendor/cache/uri-1.0.2.gem
Dependency Hierarchy:
Found in HEAD commit: 65dedddc66b23eed2e7d16bc512a747b79339120
Found in base branch: main
In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.
Publish Date: 2025-03-03
URL: CVE-2025-27221
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-22h5-pq3x-2gf2
Release Date: 2025-03-03
Fix Resolution: 0.13.2
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: