VDB

CISA-2024-49761

CISA-2024-49761 PUBLISHED CVSS 6.6 MEDIUM

Reported by GitHub_M · Published October 28, 2024

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

Risk Scores

CVSS 4.0
6.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

Affected Products

VendorProductVersions
rubyrexml< 3.3.9
rubyrexml0, 0
rubyrexml*, < 3.3.9

Timeline

  • Oct 28, 2024 CVE Published
  • Dec 27, 2024 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›