REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
Metrics
Affected Vendors & Products
References
History
Tue, 29 Oct 2024 01:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
| |
Metrics |
threat_severity
|
cvssV3_1
|
Mon, 28 Oct 2024 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Ruby
Ruby rexml |
|
CPEs | cpe:2.3:a:ruby:rexml:*:*:*:*:*:*:*:* | |
Vendors & Products |
Ruby
Ruby rexml |
|
Metrics |
ssvc
|
Mon, 28 Oct 2024 14:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability. | |
Title | REXML ReDoS vulnerability | |
Weaknesses | CWE-1333 | |
References |
| |
Metrics |
cvssV4_0
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-10-28T14:10:23.212Z
Updated: 2024-10-28T14:58:24.116Z
Reserved: 2024-10-18T13:43:23.455Z
Link: CVE-2024-49761
Vulnrichment
Updated: 2024-10-28T14:58:16.358Z
NVD
Status : Awaiting Analysis
Published: 2024-10-28T15:15:05.157
Modified: 2024-10-29T14:34:50.257
Link: CVE-2024-49761
Redhat