Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-vg3r-rm7w-2xgh: REXML contains a denial of service vulnerability

Impact

The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many <s in an attribute value.

If you need to parse untrusted XMLs, you many be impacted to this vulnerability.

Patches

The REXML gem 3.2.7 or later include the patch to fix this vulnerability.

Workarounds

Don’t parse untrusted XMLs.

References

  • https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/
ghsa
#vulnerability#dos#git#ruby

REXML contains a denial of service vulnerability

Moderate severity GitHub Reviewed Published May 16, 2024 in ruby/rexml • Updated May 16, 2024

Related news

Ubuntu Security Notice USN-7091-2

Ubuntu Security Notice 7091-2 - USN-7091-1 fixed several vulnerabilities in Ruby. This update provides the corresponding update for ruby2.7 in Ubuntu 20.04 LTS. It was discovered that Ruby incorrectly handled parsing of an XML document that has specific XML characters in an attribute value using REXML gem. An attacker could use this issue to cause Ruby to crash, resulting in a denial of service. This issue only affected in Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. It was discovered that Ruby incorrectly handled parsing of an XML document that has many entity expansions with SAX2 or pull parser API. An attacker could use this issue to cause Ruby to crash, resulting in a denial of service. It was discovered that Ruby incorrectly handled parsing of an XML document that has many digits in a hex numeric character reference. An attacker could use this issue to cause Ruby to crash, resulting in a denial of service.

Ubuntu Security Notice USN-7091-1

Ubuntu Security Notice 7091-1 - It was discovered that Ruby incorrectly handled parsing of an XML document that has specific XML characters in an attribute value using REXML gem. An attacker could use this issue to cause Ruby to crash, resulting in a denial of service. This issue only affected in Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. It was discovered that Ruby incorrectly handled parsing of an XML document that has many entity expansions with SAX2 or pull parser API. An attacker could use this issue to cause Ruby to crash, resulting in a denial of service.

Red Hat Security Advisory 2024-5338-03

Red Hat Security Advisory 2024-5338-03 - An update for pcs is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-4499-03

Red Hat Security Advisory 2024-4499-03 - An update for ruby is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.