CVE-2024-41123: REXML DoS vulnerability
First published: Thu Aug 01 2024(Updated: )
### Impact The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. ### Patches The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities. ### Workarounds Don't parse untrusted XMLs. ### References * https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability * https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8 : This is a similar vulnerability * https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/: An announce on www.ruby-lang.org
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/rexml | <3.3.3 | 3.3.3 |
| Ruby-lang Rexml | <3.2.7 | |
| Ruby-lang Rexml | >=3.2.8<3.3.2 | |
| debian/ruby2.7 | <=2.7.4-1+deb11u1<=2.7.4-1+deb11u2 | |
| debian/ruby3.1 | <=3.1.2-7+deb12u1<=3.1.2-8.4 | |
| debian/ruby3.2 | <=3.2.3-1 | |
| debian/ruby3.3 | 3.3.5-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/ruby/rexml/security/advisories/GHSA-r55c-59qm-vjw6
- https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8
- https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
- https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123
- https://nvd.nist.gov/vuln/detail/CVE-2024-41123
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-41123.yml
- https://github.com/advisories/GHSA-r55c-59qm-vjw6 (Advisory)
- https://access.redhat.com/errata/RHSA-2024:6670
- https://access.redhat.com/errata/RHSA-2024:6702
- https://access.redhat.com/errata/RHSA-2024:6703
- https://access.redhat.com/errata/RHSA-2024:6784
- https://access.redhat.com/errata/RHSA-2024:6785
- https://bugzilla.redhat.com/show_bug.cgi?id=2302268
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41123
- https://launchpad.net/bugs/cve/CVE-2024-41123
- https://security-tracker.debian.org/tracker/CVE-2024-41123
- https://ubuntu.com/security/CVE-2024-41123
- https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/
- agent/title
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/author
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-r55c-59qm-vjw6
- alias/CVE-2024-41123
- agent/software-canonical-lookup
- collector/github-advisory
- agent/severity
- collector/nvd-api
- source/NVD
- collector/redhat-bugzilla
- source/Red Hat
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- collector/nvd-cve
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- agent/references
- agent/softwarecombine
- agent/description
- agent/tags
- agent/event
- package-manager/rubygems
- vendor/ruby-lang
- canonical/ruby-lang rexml
- version/ruby-lang rexml/3.2.8
- package-manager/debian