CVE-2024-41946

REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368	Patch
https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4	Vendor Advisory
https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml	Not Applicable
https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946	Vendor Advisory
https://security.netapp.com/advisory/ntap-20250117-0007/

Configurations

Configuration 1 (hide)

cpe:2.3:a:ruby-lang:rexml:*:*:*:*:*:ruby:*:*

History

17 Jan 2025, 20:15

Type	Values Removed	Values Added
References		() https://security.netapp.com/advisory/ntap-20250117-0007/ -

Information

Published : 2024-08-01 15:15

Updated : 2025-01-17 20:15

NVD link : CVE-2024-41946

Mitre link : CVE-2024-41946

CVE.ORG link : CVE-2024-41946

JSON object : View

Products Affected

ruby-lang

rexml

CWE

CWE-400

Uncontrolled Resource Consumption

{"id": "CVE-2024-41946", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-08-01T15:15:14.100", "references": [{"url": "https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml", "tags": ["Not Applicable"], "source": "security-advisories@github.com"}, {"url": "https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://security.netapp.com/advisory/ntap-20250117-0007/", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability."}, {"lang": "es", "value": "REXML es un conjunto de herramientas XML para Ruby. La gema REXML 3.3.2 tiene una vulnerabilidad DoS cuando analiza un XML que tiene muchas expansiones de entidad con SAX2 o API de analizador de extracci\u00f3n. La gema REXML 3.3.3 o posterior incluye el parche para corregir la vulnerabilidad."}], "lastModified": "2025-01-17T20:15:28.380", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ruby-lang:rexml:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "E5CFEABA-B7D5-4D35-9C56-CC81B839DD36", "versionEndExcluding": "3.3.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}