CVE-2021-28965: XEE
First published: Mon Apr 05 2021(Updated: )
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/rh-ruby25-ruby | <0:2.5.9-9.el7 | 0:2.5.9-9.el7 |
| redhat/rh-ruby27-ruby | <0:2.7.3-129.el7 | 0:2.7.3-129.el7 |
| redhat/rh-ruby26-ruby | <0:2.6.7-119.el7 | 0:2.6.7-119.el7 |
| redhat/ruby | <2.5.9 | 2.5.9 |
| redhat/ruby | <2.6.7 | 2.6.7 |
| redhat/ruby | <2.7.3 | 2.7.3 |
| redhat/ruby | <3.0.1 | 3.0.1 |
| redhat/rubygem-rexml | <3.2.5 | 3.2.5 |
| REXML Ruby | <3.2.5 | |
| Ruby | <2.6.7 | |
| Ruby | >=2.7.0<2.7.3 | |
| Ruby | >=3.0.0<3.0.1 | |
| Fedora | =34 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-28965 https://nvd.nist.gov/vuln/detail/CVE-2021-28965
- https://bugzilla.redhat.com/show_bug.cgi?id=1947526
- https://access.redhat.com/errata/RHSA-2021:2584
- https://access.redhat.com/errata/RHSA-2021:2587
- https://access.redhat.com/errata/RHSA-2021:2588
- https://access.redhat.com/errata/RHSA-2022:0581
- https://access.redhat.com/errata/RHSA-2022:0582
- https://access.redhat.com/errata/RHSA-2021:2104
- https://access.redhat.com/errata/RHSA-2021:2229
- https://access.redhat.com/errata/RHSA-2021:2230
- https://access.redhat.com/security/cve/cve-2021-28965
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTVFTLFVCSUE5CXHINJEUCKSHU4SWDMT/
- https://security.netapp.com/advisory/ntap-20210528-0003/
- https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1947527
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1947528
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1947529
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1947530
- https://access.redhat.com/articles/4639821
- https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-5-9-released/
- https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-6-7-released/
- https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-7-3-released/
- https://www.ruby-lang.org/en/news/2021/04/05/ruby-3-0-1-released/
- https://hackerone.com/reports/1104077
- https://github.com/ruby/rexml/commit/a659c63e37414506dfb0d4655e031bb7a2e73fc8
- https://github.com/ruby/rexml/commit/2fe62e29094d95921d7e19abbd2e26b23d78dc5b
- https://github.com/ruby/rexml/commit/6a250d2cd1194c2be72becbdd9c3e770aa16e752
- https://github.com/ruby/rexml/commit/f7bab8937513b1403cea5aff874cbf32fd5e8551
- https://github.com/ruby/rexml/commit/f9d88e4948b4a43294c25dc0edb16815bd9d8618
- https://github.com/ruby/rexml/commit/9b311e59ae05749e082eb6bbefa1cb620d1a786e
- https://github.com/ruby/rexml/commit/3c137eb119550874b2b3e27d12b733ca67033377
- https://github.com/ruby/rexml/compare/v3.2.4...v3.2.5
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTVFTLFVCSUE5CXHINJEUCKSHU4SWDMT/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-28965?
CVE-2021-28965 is a vulnerability that affects the REXML gem in Ruby before versions 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1. It allows an attacker to modify the structure of an XML document, potentially compromising the integrity of processed data.
How does CVE-2021-28965 affect applications?
CVE-2021-28965 can affect applications that use the REXML library in Ruby. When parsing a specially crafted XML document and writing the parsed data back to a new XML document, the resulting document may have a different structure, compromising the integrity of the processed data.
What is the severity of CVE-2021-28965?
CVE-2021-28965 has a severity of 'high' with a CVSS score of 7.0.
How can CVE-2021-28965 be fixed?
To fix CVE-2021-28965, update Ruby to version 2.5.9, 2.6.7, 2.7.3, or 3.0.1, and update the rubygem-rexml package to version 3.2.5.
Where can I find more information about CVE-2021-28965?
You can find more information about CVE-2021-28965 at the following references: [CVE-2021-28965](https://www.cve.org/CVERecord?id=CVE-2021-28965), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-28965), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1947526), [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2021:2584).
- collector/redhat-cve
- agent/author
- agent/type
- agent/first-publish-date
- agent/severity
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-28965
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/redhat
- vendor/ruby-lang
- canonical/rexml ruby
- canonical/ruby
- version/ruby/2.7.0
- version/ruby/3.0.0
- vendor/fedoraproject
- canonical/fedora
- version/fedora/34