Lucene search

RubySecRUBY:REXML-2024-35176

HistoryMay 15, 2024 - 9:00 p.m.

REXML contains a denial of service vulnerability

2024-05-1521:00:00

RubySec

rubysec.com

rexml

denial of service

vulnerability

parsing

xml

attribute values

patch

fix

untrusted

workaround

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

6.4 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.6%

JSON

Impact

The REXML gem before 3.2.6 has a DoS vulnerability when it
parses an XML that has many <s in an attribute value.

If you need to parse untrusted XMLs, you many be impacted
to this vulnerability.

Patches

The REXML gem 3.2.7 or later include the patch to fix this
vulnerability.

Workarounds

Don’t parse untrusted XMLs.

References

https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/

CPENameOperatorVersion
rexmllt3.2.7

CPE	Name	Operator	Version
	rexml	lt	3.2.7

References

github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

6.4 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.6%

JSON

Related for RUBY:REXML-2024-35176