Denial of Service Vulnerability in REXML Toolkit for Ruby
CVE-2024-41946

7.5HIGH

Key Information:

Vendor

Ruby

Status
Rexml
Vendor
CVE Published:
1 August 2024

What is CVE-2024-41946?

The REXML toolkit for Ruby contains a vulnerability in its XML parsing capabilities that may lead to Denial of Service (DoS) attacks. Specifically, the vulnerability exists in version 3.3.2 of the REXML gem when handling XML documents with numerous entity expansions using the SAX2 or pull parser API. Attackers can exploit this weakness by crafting XML data that overwhelms the parser, leading to resource exhaustion. To mitigate this issue, updates in versions 3.3.3 and later address and rectify the vulnerability.

Affected Version(s)

rexml < 3.3.3

References

https://github.com/ruby/rexml/security/advisories/GHSA-58...
x_refsource_CONFIRM
https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c5...
x_refsource_MISC
https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerab...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.