REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
History

Tue, 29 Oct 2024 01:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Mon, 28 Oct 2024 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Ruby
Ruby rexml
CPEs cpe:2.3:a:ruby:rexml:*:*:*:*:*:*:*:*
Vendors & Products Ruby
Ruby rexml
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 28 Oct 2024 14:30:00 +0000

Type Values Removed Values Added
Description REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
Title REXML ReDoS vulnerability
Weaknesses CWE-1333
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-10-28T14:10:23.212Z

Updated: 2024-10-28T14:58:24.116Z

Reserved: 2024-10-18T13:43:23.455Z

Link: CVE-2024-49761

cve-icon Vulnrichment

Updated: 2024-10-28T14:58:16.358Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-10-28T15:15:05.157

Modified: 2024-10-29T14:34:50.257

Link: CVE-2024-49761

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-10-28T14:10:23Z

Links: CVE-2024-49761 - Bugzilla