CVE-2024-41946

REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.
Configurations

Configuration 1 (hide)

cpe:2.3:a:ruby-lang:rexml:*:*:*:*:*:ruby:*:*

History

17 Jan 2025, 20:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 7.5
v2 : unknown
v3 : 5.3
References
  • () https://security.netapp.com/advisory/ntap-20250117-0007/ -

05 Sep 2024, 16:09

Type Values Removed Values Added
CPE cpe:2.3:a:ruby-lang:rexml:*:*:*:*:*:ruby:*:*
First Time Ruby-lang
Ruby-lang rexml
CVSS v2 : unknown
v3 : 5.3
v2 : unknown
v3 : 7.5
References () https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368 - () https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368 - Patch
References () https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4 - () https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4 - Vendor Advisory
References () https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml - () https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml - Not Applicable
References () https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946 - () https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946 - Vendor Advisory
Summary
  • (es) REXML es un conjunto de herramientas XML para Ruby. La gema REXML 3.3.2 tiene una vulnerabilidad DoS cuando analiza un XML que tiene muchas expansiones de entidad con SAX2 o API de analizador de extracción. La gema REXML 3.3.3 o posterior incluye el parche para corregir la vulnerabilidad.

01 Aug 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-01 15:15

Updated : 2025-01-17 20:15


NVD link : CVE-2024-41946

Mitre link : CVE-2024-41946

CVE.ORG link : CVE-2024-41946


JSON object : View

Products Affected

ruby-lang

  • rexml
CWE
CWE-400

Uncontrolled Resource Consumption