7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
28.1%
Submitted previously via email to [email protected] due to REXML not being listed under in-scope assets here. Explicitly requested by @hsbt to re-submit through HackerOne.
CVSS rating calculated based on confirmed downstream impact.
Hi Ruby Security Team,
I’m reaching out to you to report a vulnerability in REXML that renders downstream use-cases susceptible to varying degrees of tampering.
Conceptually the vulnerability is similar to Go encoding/xml bugs publicly disclosed in December. For context, high-level descriptions of those vulnerabilities can be found in the blog post at https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/ and in the advisories it references.
In the case of REXML, the specific vulnerability is best explained using a code example:
require 'rexml/document'
doc = REXML::Document.new <<XML
<!DOCTYPE x [ <!NOTATION x SYSTEM 'x">]><X><Z/>
</X>
XML
puts "First child in original doc: " + doc.root.elements[1].name
doc = REXML::Document.new doc.to_s
puts "First child after round-trip: " + doc.root.elements[1].name
This program prints two lines of text:
First child in original doc: Y
First child after round-trip: Z
The output demonstrates how the structure of an XML document can change when parsed and serialized using REXML. The expected output from a well-behaving parser would be such where both lines end with “Y”.
Regards,
Juho Nurminen
Staff Product Security Engineer, Mattermost, Inc.
The impact of XML round-trip issues can vary significantly depending on context. SAML implementations affected by such issues can allow authentication bypasses and privilege escalation. SOAP endpoints can allow circumventing business logic or access controls. And in general XML processing loses integrity guarantees.
We are aware of a major SAML implementation affected by this vulnerability, resulting in critical impact in all applications that rely on it. The vulnerability has not been reported to the downstream maintainers since it is an issue in REXML.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
28.1%