Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS01ODY2LTQ5Z3ItMjJ2NM4AA-WF

REXML DoS vulnerability

Impact

The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API.

If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability.

Patches

The REXML gem 3.3.3 or later include the patch to fix the vulnerability.

Workarounds

Don't parse untrusted XMLs with SAX2 or pull parser API.

References

• https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ : This is a similar vulnerability
• https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/: An announce on www.ruby-lang.org

Permalink: https://github.com/advisories/GHSA-5866-49gr-22v4
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01ODY2LTQ5Z3ItMjJ2NM4AA-WF
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 4 months ago
Updated: 3 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-5866-49gr-22v4, CVE-2024-41946
References:

• https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4
• https://nvd.nist.gov/vuln/detail/CVE-2024-41946
• https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-41946.yml
• https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml
• https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946
• https://github.com/advisories/GHSA-5866-49gr-22v4

Repository: https://github.com/ruby/rexml
Blast Radius: 40.7

Affected Packages