Denial of Service Vulnerability in REXML XML Toolkit for Ruby
CVE-2024-41123

7.5HIGH

Key Information:

Vendor: Ruby-lang
Status: Rexml
Vendor: CVE Published:; 1 August 2024

What is CVE-2024-41123?

The REXML gem, an XML processing library in Ruby, is susceptible to Denial of Service (DoS) vulnerabilities in versions prior to 3.3.2 due to its method of parsing XML documents containing specific character sequences, such as whitespace, ]>, and > characters. Attackers can leverage these vulnerabilities by crafting malicious XML inputs that exploit these weaknesses, potentially leading to service disruptions. Versions 3.3.3 and later of the REXML gem address these vulnerabilities through crucial patches, enhancing the security and stability of applications relying on this toolkit.

References

https://github.com/ruby/rexml/security/advisories/GHSA-r5...

https://github.com/ruby/rexml/security/advisories/GHSA-4x...

https://github.com/ruby/rexml/security/advisories/GHSA-vg...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 1, 2024

Ruby-lang

What is CVE-2024-41123?

References

CVSS V3.1

Timeline