GHSA-5866-49gr-22v4
First published: Fri Aug 02 2024(Updated: )
### Impact The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability. ### Patches The REXML gem 3.3.3 or later include the patch to fix the vulnerability. ### Workarounds Don't parse untrusted XMLs with SAX2 or pull parser API. ### References * https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ : This is a similar vulnerability * https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/: An announce on www.ruby-lang.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/rexml | <3.3.3 | 3.3.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4
- https://nvd.nist.gov/vuln/detail/CVE-2024-41946
- https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-41946.yml
- https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml
- https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946
- https://github.com/advisories/GHSA-5866-49gr-22v4 (Advisory)
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-5866-49gr-22v4
- alias/CVE-2024-41946
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/references
- agent/first-publish-date
- agent/description
- agent/softwarecombine
- agent/event
- agent/type
- agent/tags
- collector/github-advisory
- package-manager/rubygems