Lucene search

GoogleOSV:GHSA-VG3R-RM7W-2XGH

HistoryMay 16, 2024 - 5:44 p.m.

REXML contains a denial of service vulnerability

2024-05-1617:44:04

Google

osv.dev

rexml

vulnerability

xmlparsing

dos

patch

untrustedxmls

6.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.1%

JSON

Impact

The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many <s in an attribute value.

If you need to parse untrusted XMLs, you many be impacted to this vulnerability.

Patches

The REXML gem 3.2.7 or later include the patch to fix this vulnerability.

Workarounds

Don’t parse untrusted XMLs.

References

https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/

CPENameOperatorVersion
rexmleq3.2.3
rexmleq3.2.6
rexmleq3.2.5
rexmleq3.2.2
rexmleq3.2.1
rexmleq3.2.4
rexmleq3.1.9.1
rexmleq3.1.9
rexmleq3.2.0
rexmleq3.1.7.3

Name	Operator	Version
rexml	eq	3.2.3
rexml	eq	3.2.6
rexml	eq	3.2.5
rexml	eq	3.2.2
rexml	eq	3.2.1
rexml	eq	3.2.4
rexml	eq	3.1.9.1
rexml	eq	3.1.9
rexml	eq	3.2.0
rexml	eq	3.1.7.3

Rows per page:

1-10 of 111

References

github.com/ruby/rexml

github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb

github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh

nvd.nist.gov/vuln/detail/CVE-2024-35176

www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176