XML Round-Trip Vulnerability in REXML Gem for Ruby Software
CVE-2021-28965

7.5HIGH

Key Information:

Vendor

Ruby-lang

Status
Ruby
Rexml
Vendor
CVE Published:
21 April 2021

What is CVE-2021-28965?

The REXML gem, utilized in various Ruby implementations, exhibits XML round-trip vulnerabilities prior to version 3.2.5. This flaw may lead to the generation of incorrect documents during the parsing and serialization processes. Developers relying on older versions of Ruby, specifically versions before 2.6.7, 2.7.x prior to 2.7.3, and 3.x before 3.0.1, are at risk. It is crucial for users to upgrade their software to the recommended versions to mitigate potential security risks.

References

https://www.ruby-lang.org/en/news/2021/04/05/xml-round-tr...
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA
https://security.netapp.com/advisory/ntap-20210528-0003/
x_refsource_CONFIRM

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.