Lucene search

K

Veracode Vulnerability DatabaseVERACODE:48409

HistoryAug 07, 2024 - 9:46 a.m.

Denial Of Service (DoS)

2024-08-0709:46:22

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

7

rexml

vulnerability

xml parsing

entity expansion

resource consumption

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7

Confidence

High

EPSS

0.001

Percentile

23.8%

REXML is vulnerable to Denial Of Service (DoS). The vulnerability is due to a lack of proper entity expansion limits in its XML parsing with SAX2 or pull parser API. The vulnerability allows for excessive resource consumption when handling XML documents with numerous nested or repeated entities.

References

github.com/advisories/GHSA-5866-49gr-22v4

github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368

github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4

github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-41946.yml

www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml

www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/

www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946

www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7

Confidence

High

EPSS

0.001

Percentile

23.8%

Related for VERACODE:48409

redhatcve1 osv7 vulnrichment1 nvd1 github1 cvelist1 debiancve1 wolfi1 alpinelinux1 rubygems1 cve1 almalinux1 nessus6 redos1 redhat5 rocky1 oraclelinux2 ibm1