CVE-2024-41946 – rexml

Package

Manager: gem
Name: rexml
Vulnerable Version: >=0 <3.3.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.02289 pctl0.84096

Details

REXML DoS vulnerability ### Impact The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability. ### Patches The REXML gem 3.3.3 or later include the patch to fix the vulnerability. ### Workarounds Don't parse untrusted XMLs with SAX2 or pull parser API. ### References * https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ : This is a similar vulnerability * https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/: An announce on www.ruby-lang.org

Metadata

Created: 2024-08-02T12:33:15Z
Modified: 2025-01-17T21:31:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-5866-49gr-22v4/GHSA-5866-49gr-22v4.json
CWE IDs: ["CWE-400", "CWE-770"]
Alternative ID: GHSA-5866-49gr-22v4
Finding: F002
Auto approve: 1