CVE-2024-43398

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/ruby/rexml/releases/tag/v3.3.6
https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3
https://security.netapp.com/advisory/ntap-20250103-0006/

Configurations

No configuration.

History

03 Jan 2025, 12:15

Type	Values Removed	Values Added
References		() https://security.netapp.com/advisory/ntap-20250103-0006/ -

Information

Published : 2024-08-22 15:15

Updated : 2025-01-03 12:15

NVD link : CVE-2024-43398

Mitre link : CVE-2024-43398

CVE.ORG link : CVE-2024-43398

JSON object : View

Products Affected

No product.

CWE

CWE-776

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

{"id": "CVE-2024-43398", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2024-08-22T15:15:16.440", "references": [{"url": "https://github.com/ruby/rexml/releases/tag/v3.3.6", "source": "security-advisories@github.com"}, {"url": "https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3", "source": "security-advisories@github.com"}, {"url": "https://security.netapp.com/advisory/ntap-20250103-0006/", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-776"}]}], "descriptions": [{"lang": "en", "value": "REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability."}, {"lang": "es", "value": "REXML es un conjunto de herramientas XML para Ruby. La gema REXML anterior a 3.3.6 tiene una vulnerabilidad DoS cuando analiza un XML que tiene muchos elementos profundos que tienen los mismos atributos de nombre local. Si necesita analizar archivos XML que no son de confianza con una API de analizador de \u00e1rboles como REXML::Document.new, es posible que se vea afectado por esta vulnerabilidad. Si utiliza otras API de analizador, como la API de analizador de flujo y la API de analizador SAX2, esta vulnerabilidad no se ve afectada. La gema REXML 3.3.6 o posterior incluye el parche para corregir la vulnerabilidad."}], "lastModified": "2025-01-03T12:15:25.897", "sourceIdentifier": "security-advisories@github.com"}