Fluid Attacks Database

Description

REXML contains a denial of service vulnerability

Impact

The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many >s in an attribute value.

If you need to parse untrusted XMLs, you may be impacted to this vulnerability.

Patches

The REXML gem 3.2.7 or later include the patch to fix this vulnerability.

Workarounds

Don't parse untrusted XMLs.

References

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	ruby3.1	=3.1.2-7 \|\| =3.1.2-7+deb12u1 \|\| =3.1.2-7+hurd.1 \|\| =3.1.2-8 \|\| =3.1.2-8.1~exp1 \|\| =3.1.2-8.3 \|\| =3.1.2-8.4 \|\| =3.1.2-8.5	-
debian 11	ruby2.7	=2.7.4-1 \|\| =2.7.4-1+deb11u1 \|\| =2.7.4-1+deb11u2 \|\| >=0 <2.7.4-1+deb11u3	2.7.4-1+deb11u3
rubygems	rexml	>=0 <3.2.7	3.2.7
rpm rhel10	ruby	-	-
rpm rhel7	ruby	-	-
rpm rhel9	pcs	-	-
rpm rhel6	ruby	-	-
rpm rhel8	ruby	<0:2.5.9-112.module+el8.10.0+22021+135c76a8	0:2.5.9-112.module+el8.10.0+22021+135c76a8
rpm rhel8	pcs	<0:0.10.18-2.el8_10.1	0:0.10.18-2.el8_10.1
rpm rhel9	ruby	-	-

Aliases

References