CVE-2024-41946

Name
CVE-2024-41946
Description
REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
CONFIRM https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4
MISC https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368
MISC https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml
MISC https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946

Match rules

CPE URI Source package Min version Max version
rexml >= 0 < 3.3.3
cpe:2.3:a:ruby-lang:rexml:*:*:*:*:*:ruby:*:* ruby-rexml >= 0 < 3.3.3

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
ruby-rexml 3.18-main 3.2.5-r3 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
ruby-rexml 3.17-main 3.2.5-r2 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
ruby-rexml edge-main 3.3.9-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
ruby-rexml 3.21-main 3.3.9-r0 Jakub Jirutka <jakub@jirutka.cz> fixed