REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
References
Link | Resource |
---|---|
https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f | Patch |
https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m | Third Party Advisory |
https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761 | Vendor Advisory |
Configurations
History
05 Nov 2024, 16:41
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:ruby-lang:rexml:*:*:*:*:*:ruby:*:* | |
First Time |
Ruby-lang rexml
Ruby-lang |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
References | () https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f - Patch | |
References | () https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m - Third Party Advisory | |
References | () https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761 - Vendor Advisory |
29 Oct 2024, 14:34
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
28 Oct 2024, 15:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-28 15:15
Updated : 2024-11-05 16:41
NVD link : CVE-2024-49761
Mitre link : CVE-2024-49761
CVE.ORG link : CVE-2024-49761
JSON object : View
Products Affected
ruby-lang
- rexml
CWE
CWE-1333
Inefficient Regular Expression Complexity