CVE-2024-41946

REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.
Configurations

Configuration 1 (hide)

cpe:2.3:a:ruby-lang:rexml:*:*:*:*:*:ruby:*:*

History

05 Sep 2024, 16:09

Type Values Removed Values Added
Summary
  • (es) REXML es un conjunto de herramientas XML para Ruby. La gema REXML 3.3.2 tiene una vulnerabilidad DoS cuando analiza un XML que tiene muchas expansiones de entidad con SAX2 o API de analizador de extracción. La gema REXML 3.3.3 o posterior incluye el parche para corregir la vulnerabilidad.
References () https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368 - () https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368 - Patch
References () https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4 - () https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4 - Vendor Advisory
References () https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml - () https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml - Not Applicable
References () https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946 - () https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946 - Vendor Advisory
CPE cpe:2.3:a:ruby-lang:rexml:*:*:*:*:*:ruby:*:*
CVSS v2 : unknown
v3 : 5.3
v2 : unknown
v3 : 7.5
First Time Ruby-lang
Ruby-lang rexml

01 Aug 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-01 15:15

Updated : 2024-09-05 16:09


NVD link : CVE-2024-41946

Mitre link : CVE-2024-41946

CVE.ORG link : CVE-2024-41946


JSON object : View

Products Affected

ruby-lang

  • rexml
CWE
CWE-400

Uncontrolled Resource Consumption