CVE-2024-43398: REXML denial of service vulnerability
First published: Thu Aug 22 2024(Updated: )
### Impact The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like `REXML::Document.new`, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. ### Patches The REXML gem 3.3.6 or later include the patch to fix the vulnerability. ### Workarounds Don't parse untrusted XMLs with tree parser API. ### References * https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/ : An announce on www.ruby-lang.org
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/rexml | <3.3.6 | 3.3.6 |
| debian/ruby2.7 | <=2.7.4-1+deb11u1 | 2.7.4-1+deb11u4 |
| debian/ruby3.1 | <=3.1.2-7+deb12u1<=3.1.2-8.5 | |
| debian/ruby3.3 | 3.3.7-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3
- https://github.com/ruby/rexml/releases/tag/v3.3.6
- https://security.netapp.com/advisory/ntap-20250103-0006/
- https://nvd.nist.gov/vuln/detail/CVE-2024-43398
- https://github.com/ruby/rexml/commit/7cb5eaeb221c322b9912f724183294d8ce96bae3
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-43398.yml
- https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398
- https://security.netapp.com/advisory/ntap-20250103-0006
- https://github.com/advisories/GHSA-vmwr-mc7x-5vc3 (Advisory)
- https://access.redhat.com/errata/RHSA-2024:6670
- https://access.redhat.com/errata/RHSA-2024:6702
- https://access.redhat.com/errata/RHSA-2024:6703
- https://access.redhat.com/errata/RHSA-2024:6784
- https://access.redhat.com/errata/RHSA-2024:6785
- https://bugzilla.redhat.com/show_bug.cgi?id=2307297
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43398
- https://launchpad.net/bugs/cve/CVE-2024-43398
- https://security-tracker.debian.org/tracker/CVE-2024-43398
- https://ubuntu.com/security/CVE-2024-43398
Frequently Asked Questions
What is the severity of CVE-2024-43398?
CVE-2024-43398 has a severity rating of moderate, primarily due to its potential to cause a denial of service.
How do I fix CVE-2024-43398?
To fix CVE-2024-43398, upgrade the REXML gem to version 3.3.6 or later.
What is the impact of CVE-2024-43398?
CVE-2024-43398 can lead to a denial of service when parsing deeply nested XML with similar local name attributes.
Which versions of REXML are affected by CVE-2024-43398?
REXML gem versions prior to 3.3.6 are affected by CVE-2024-43398.
Can I use REXML for parsing untrusted XML data with CVE-2024-43398?
It is not recommended to use REXML for parsing untrusted XML data due to the risk posed by CVE-2024-43398.
- agent/title
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/author
- agent/severity
- agent/trending
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-vmwr-mc7x-5vc3
- alias/CVE-2024-43398
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/nvd-cve
- collector/redhat-bugzilla
- source/Red Hat
- collector/github-advisory
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/description
- agent/softwarecombine
- agent/source
- agent/event
- agent/tags
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- package-manager/rubygems
- package-manager/debian