-
-
Notifications
You must be signed in to change notification settings - Fork 218
/
CVE-2024-43398.yml
52 lines (39 loc) · 1.51 KB
/
CVE-2024-43398.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
---
gem: rexml
cve: 2024-43398
ghsa: vmwr-mc7x-5vc3
url: https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3
title: REXML denial of service vulnerability
date: 2024-08-22
description: |
### Impact
The REXML gem before 3.3.6 has a DoS vulnerability when it parses an
XML that has many deep elements that have same local name attributes.
If you need to parse untrusted XMLs with tree parser API like
`REXML::Document.new`, you may be impacted to this vulnerability.
If you use other parser APIs such as stream parser API and SAX2
parser API, this vulnerability is not affected.
This vulnerability has been assigned the CVE identifier CVE-2024-43398.
We strongly recommend upgrading the REXML gem.
### Patches
The REXML gem 3.3.6 or later include the patch to fix the
vulnerability.
### Workarounds
Don't parse untrusted XMLs with tree parser API.
## Affected versions
REXML gem 3.3.5 or prior
## Credits
Thanks to l33thaxor for discovering this issue.
## History
Originally published at 2024-08-22 03:00:00 (UTC)
cvss_v3: 5.9
patched_versions:
- ">= 3.3.6"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2024-43398
- https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398
- https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3
- https://github.com/ruby/rexml/commit/7cb5eaeb221c322b9912f724183294d8ce96bae3
- https://github.com/ruby/rexml/releases/tag/v3.3.6
- https://github.com/advisories/GHSA-vmwr-mc7x-5vc3