Denial of Service Vulnerability in REXML XML Toolkit for Ruby
CVE-2024-41123

5.3MEDIUM

Key Information:

Vendor

Ruby

Status
Rexml
Vendor
CVE Published:
1 August 2024

What is CVE-2024-41123?

The REXML gem, an XML processing library in Ruby, is susceptible to Denial of Service (DoS) vulnerabilities in versions prior to 3.3.2 due to its method of parsing XML documents containing specific character sequences, such as whitespace, ]>, and > characters. Attackers can leverage these vulnerabilities by crafting malicious XML inputs that exploit these weaknesses, potentially leading to service disruptions. Versions 3.3.3 and later of the REXML gem address these vulnerabilities through crucial patches, enhancing the security and stability of applications relying on this toolkit.

Affected Version(s)

rexml < 3.3.3

References

https://github.com/ruby/rexml/security/advisories/GHSA-r5...
x_refsource_CONFIRM
https://github.com/ruby/rexml/security/advisories/GHSA-4x...
x_refsource_MISC
https://github.com/ruby/rexml/security/advisories/GHSA-vg...
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

JSON
.