[RUBYSEC:REXML-2024-35176] REXML contains a denial of service vulnerability

Severity Medium

Affected Packages 1

Fixed Packages 1

CVEs 1

The REXML gem before 3.2.6 has a DoS vulnerability when it
parses an XML that has many <s in an attribute value.

If you need to parse untrusted XMLs, you many be impacted
to this vulnerability.

The REXML gem 3.2.7 or later include the patch to fix this
vulnerability.

Don't parse untrusted XMLs.

Package	Affected Version
pkg:gem/rexml	< 3.2.7

Package	Fixed Version
pkg:gem/rexml	>= 3.2.7

ID

RUBYSEC:REXML-2024-35176

Severity

medium

URL

Published

2024-05-16T00:00:00
(4 months ago)

Modified

2024-05-16T20:19:21
(4 months ago)

Rights

RubySec Security Team

Other Advisories

Source	# ID	URL
Security Advisory	GHSA-vg3r-rm7w-2xgh	https://github.com/advisories/GHSA-vg3r-rm7w-2xgh
		https://nvd.nist.gov/vuln/detail/CVE-2024-35176
		https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176
		https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
		https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb
		https://github.com/advisories/GHSA-vg3r-rm7w-2xgh

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Fixed	pkg:gem/rexml		rexml	>= 3.2.7
Affected	pkg:gem/rexml		rexml	< 3.2.7

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date