GHSA-r55c-59qm-vjw6

Опубликовано: 01 авг. 2024

Источник: github

Github: Прошло ревью

CVSS4: 6.9

CVSS3: 7.5

Описание

REXML DoS vulnerability

Impact

The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, >] and ]>.

If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.

Patches

The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.

Workarounds

Don't parse untrusted XMLs.

References

https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability
https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8 : This is a similar vulnerability
https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/: An announce on www.ruby-lang.org

Ссылки

Пакеты

Наименование

rexml

rubygems

Затронутые версииВерсия исправления

< 3.3.3

3.3.3

EPSS

Процентиль: 61%

0.0042

Низкий

6.9 Medium

CVSS4

7.5 High

CVSS3

CVE ID

CVE-2024-41123

Дефекты

CWE-400

CWE-770

Связанные уязвимости

CVE-2024-41123

CVSS3: 5.3

ubuntu

11 месяцев назад

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.

CVE-2024-41123

CVSS3: 5.3

redhat

11 месяцев назад

CVE-2024-41123

CVSS3: 5.3

nvd

11 месяцев назад

CVE-2024-41123

CVSS3: 5.3

debian

11 месяцев назад

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some ...

BDU:2024-07429

CVSS3: 7.5

fstec

11 месяцев назад

Уязвимость набора инструментов XML для Ruby REXML, связанная с неконтролируемым потреблением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 61%

0.0042

Низкий

6.9 Medium

CVSS4

7.5 High

CVSS3

CVE ID

CVE-2024-41123

Дефекты

CWE-400

CWE-770