ALT-PU-2025-2183-3 — gem-rexml

BDU:2024-07419

HIGH7.5

Уязвимость набора инструментов XML для Ruby REXML, связанная с неконтролируемым потреблением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2024-09-24Modified: 2025-04-30

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2024-41946

BDU:2024-07430

MEDIUM5.9

Уязвимость набора инструментов XML для Ruby REXML, связанная с неправильным ограничением рекурсивных ссылок на сущности в DTD, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2024-09-24

CVSS 3.xMEDIUM 5.9

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0MEDIUM 5.4

CVSS:2.0/AV:N/AC:H/Au:N/C:N/I:N/A:C

References

CVE-2024-43398

CVE-2024-41946

HIGH7.5

REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.

Published: 2024-08-01Modified: 2025-11-03

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2024-43398

MEDIUM5.9

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability.

Published: 2024-08-22Modified: 2025-11-03

CVSS 3.xMEDIUM 5.9

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

GHSA-5866-49gr-22v4

MEDIUM6.9

REXML DoS vulnerability

Published: 2024-08-02Modified: 2025-11-04

CVSS 3.x

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

GHSA-vmwr-mc7x-5vc3

HIGH8.2

REXML denial of service vulnerability

Published: 2024-08-22Modified: 2025-11-04

CVSS 3.xHIGH 8.2

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0HIGH 8.2

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

Package update gem-rexml in branch c10f2

Closed issues (6)

Уязвимость набора инструментов XML для Ruby REXML, связанная с неконтролируемым потреблением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.

REXML DoS vulnerability

REXML denial of service vulnerability