2349700 – (CVE-2025-27221) CVE-2025-27221 uri: userinfo leakage in URI#join, URI#merge and URI#+

Bug 2349700 (CVE-2025-27221) - CVE-2025-27221 uri: userinfo leakage in URI#join, URI#merge and URI#+

Summary: CVE-2025-27221 uri: userinfo leakage in URI#join, URI#merge and URI#+

Keywords:
Status:	NEW
Alias:	CVE-2025-27221
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-03-04 00:01 UTC by OSIDB Bzimport
Modified:	2025-05-26 08:33 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2025:4063	None	None	None	2025-04-22 02:18:09 UTC
Red Hat Product Errata	RHSA-2025:4488	None	None	None	2025-05-06 02:28:00 UTC
Red Hat Product Errata	RHSA-2025:4493	None	None	None	2025-05-06 02:28:10 UTC
Red Hat Product Errata	RHSA-2025:8131	None	None	None	2025-05-26 08:33:47 UTC

Description OSIDB Bzimport 2025-03-04 00:01:11 UTC

In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.

Comment 2 errata-xmlrpc 2025-04-22 02:18:07 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:4063 https://access.redhat.com/errata/RHSA-2025:4063

Comment 3 errata-xmlrpc 2025-05-06 02:27:59 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:4488 https://access.redhat.com/errata/RHSA-2025:4488

Comment 4 errata-xmlrpc 2025-05-06 02:28:09 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:4493 https://access.redhat.com/errata/RHSA-2025:4493

Comment 5 errata-xmlrpc 2025-05-26 08:33:46 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:8131 https://access.redhat.com/errata/RHSA-2025:8131

Note You need to log in before you can comment on or make changes to this bug.