CVE-2024-41946: REXML DoS vulnerability
First published: Thu Aug 01 2024(Updated: )
### Impact The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability. ### Patches The REXML gem 3.3.3 or later include the patch to fix the vulnerability. ### Workarounds Don't parse untrusted XMLs with SAX2 or pull parser API. ### References * https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ : This is a similar vulnerability * https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/: An announce on www.ruby-lang.org
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/rexml | <3.3.3 | 3.3.3 |
| REXML Ruby | <3.3.3 | |
| debian/ruby2.7 | <=2.7.4-1+deb11u1 | 2.7.4-1+deb11u5 |
| debian/ruby3.1 | <=3.1.2-7+deb12u1<=3.1.2-8.5 | |
| debian/ruby3.3 | 3.3.7-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368
- https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4
- https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml
- https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946
- https://nvd.nist.gov/vuln/detail/CVE-2024-41946
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-41946.yml
- https://github.com/advisories/GHSA-5866-49gr-22v4 (Advisory)
- https://launchpad.net/bugs/cve/CVE-2024-41946
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41946
- https://security-tracker.debian.org/tracker/CVE-2024-41946
- https://ubuntu.com/security/CVE-2024-41946
- https://access.redhat.com/errata/RHSA-2024:6670
- https://access.redhat.com/errata/RHSA-2024:6702
- https://access.redhat.com/errata/RHSA-2024:6703
- https://access.redhat.com/errata/RHSA-2024:6784
- https://access.redhat.com/errata/RHSA-2024:6785
- https://bugzilla.redhat.com/show_bug.cgi?id=2302272
- https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/
- https://github.com/ruby/rexml/pull/187
- https://security.netapp.com/advisory/ntap-20250117-0007
- https://security.netapp.com/advisory/ntap-20250117-0007/
Frequently Asked Questions
What is the severity of CVE-2024-41946?
CVE-2024-41946 has been identified as a DoS vulnerability with potential impact on systems parsing untrusted XML.
How do I fix CVE-2024-41946?
To mitigate CVE-2024-41946, update the REXML gem to version 3.3.3 or later.
Which versions of REXML are affected by CVE-2024-41946?
REXML versions prior to 3.3.3 are affected by CVE-2024-41946.
Can CVE-2024-41946 affect Ruby applications?
Yes, CVE-2024-41946 can affect Ruby applications that use the REXML gem to parse untrusted XML data.
What is the impact of CVE-2024-41946 on XML parsing?
CVE-2024-41946 can lead to denial of service when parsing XML containing a large number of entity expansions using SAX2 or pull parser API.
- agent/title
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/author
- agent/remedy
- agent/severity
- collector/launchpad-cve
- source/Launchpad
- collector/usn-cve
- source/Ubuntu
- agent/event
- agent/description
- agent/trending
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-41946
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-5866-49gr-22v4
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/source
- collector/github-advisory
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- agent/tags
- agent/softwarecombine
- collector/security-tracker-debian
- source/Debian
- package-manager/rubygems
- vendor/ruby-lang
- canonical/rexml ruby
- package-manager/debian