VDB
CISA-2024-49761
CISA-2024-49761
PUBLISHED
CVSS 6.6 MEDIUM
Reported by GitHub_M · Published October 28, 2024
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
Risk Scores
CVSS 4.0
6.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| ruby | rexml | < 3.3.9 |
| ruby | rexml | 0, 0 |
| ruby | rexml | *, < 3.3.9 |
Timeline
- Oct 28, 2024 CVE Published
- Dec 27, 2024 CVE Updated
References
- https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m x_refsource_CONFIRM
- https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f x_refsource_MISC
- https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761 x_refsource_MISC
- https://security.netapp.com/advisory/ntap-20241227-0004/ url