GHSA-5866-49gr-22v4

Опубликовано: 02 авг. 2024

Источник: github

Github: Прошло ревью

CVSS4: 6.9

CVSS3: 7.5

Описание

REXML DoS vulnerability

Impact

The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API.

If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability.

Patches

The REXML gem 3.3.3 or later include the patch to fix the vulnerability.

Workarounds

Don't parse untrusted XMLs with SAX2 or pull parser API.

References

https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ : This is a similar vulnerability
https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/: An announce on www.ruby-lang.org

Ссылки

Пакеты

Наименование

rexml

rubygems

Затронутые версииВерсия исправления

< 3.3.3

3.3.3

EPSS

Процентиль: 83%

0.01972

Низкий

6.9 Medium

CVSS4

7.5 High

CVSS3

CVE ID

CVE-2024-41946

Дефекты

CWE-400

CWE-770

Связанные уязвимости

CVE-2024-41946

CVSS3: 5.3

ubuntu

11 месяцев назад

REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.

CVE-2024-41946

CVSS3: 3.3

redhat

11 месяцев назад

CVE-2024-41946

CVSS3: 5.3

nvd

11 месяцев назад

CVE-2024-41946

CVSS3: 7.5

msrc

8 месяцев назад

Описание отсутствует

CVE-2024-41946

CVSS3: 5.3

debian

11 месяцев назад

REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulner ...

EPSS

Процентиль: 83%

0.01972

Низкий

6.9 Medium

CVSS4

7.5 High

CVSS3

CVE ID

CVE-2024-41946

Дефекты

CWE-400

CWE-770