GHSA-5866-49gr-22v4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5866-49gr-22v4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-5866-49gr-22v4/GHSA-5866-49gr-22v4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5866-49gr-22v4
- Aliases
- Related
- Published
- 2024-08-02T12:33:15Z
- Modified
- 2024-09-05T18:46:20.005250Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- REXML DoS vulnerability
- Details
-
Impact
The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API.
If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability.
Patches
The REXML gem 3.3.3 or later include the patch to fix the vulnerability.
Workarounds
Don't parse untrusted XMLs with SAX2 or pull parser API.
References
- https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ : This is a similar vulnerability
- https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/: An announce on www.ruby-lang.org
- References
-
- https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4
- https://nvd.nist.gov/vuln/detail/CVE-2024-41946
- https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368
- https://github.com/ruby/rexml
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-41946.yml
- https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml
- https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946
Affected packages
RubyGems / rexml
Package
- Name
- rexml
- Purl
- pkg:gem/rexml