CVE-2024-43398

ADVISORY - github

Summary

Impact

The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes.

If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected.

Patches

The REXML gem 3.3.6 or later include the patch to fix the vulnerability.

Workarounds

Don't parse untrusted XMLs with tree parser API.

References

https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/ : An announce on www.ruby-lang.org

EPSS Score⁠: 0.02366 (0.844)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-776⁠

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

ADVISORY - github

CWE-776⁠

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

ADVISORY - gitlab

CWE-1035⁠

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-776⁠

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CWE-937⁠

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

ADVISORY - redhat

CWE-776⁠

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Impacted images

Advisories

NIST

CREATED

1 year ago

UPDATED

6 days ago

ADVISORY IDCVE-2024-43398⁠

EXPLOITABILITY SCORE

2.2

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-776⁠

CVSS SCORE

5.9medium

GitHub

CREATED

1 year ago

UPDATED

6 days ago

ADVISORY IDGHSA-vmwr-mc7x-5vc3⁠

EXPLOITABILITY SCORE

2.2

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-776⁠

CVSS SCORE

8.2high

Alpine

CREATED

1 year ago

UPDATED

3 days ago

ADVISORY IDCVE-2024-43398⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Debian

CREATED

1 year ago

UPDATED

1 month ago

ADVISORY IDCVE-2024-43398⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Ubuntu

CREATED

1 year ago

UPDATED

6 months ago

ADVISORY IDCVE-2024-43398⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Alow

GitLab

CREATED

1 year ago

UPDATED

10 months ago

ADVISORY ID

CVE-2024-43398

EXPLOITABILITY SCORE

2.2

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-1035⁠CWE-776⁠CWE-937⁠

CVSS SCORE

5.9medium

Alma

CREATED

1 year ago

UPDATED

1 year ago

ADVISORY IDALSA-2024:6670⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

Alma

CREATED

1 year ago

UPDATED

1 year ago

ADVISORY IDALSA-2024:6784⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

Alma

CREATED

1 year ago

UPDATED

1 year ago

ADVISORY IDALSA-2024:6785⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

Alma

CREATED

6 months ago

UPDATED

6 months ago

ADVISORY IDALSA-2025:4488⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

Amazon

CREATED

8 months ago

UPDATED

7 months ago

ADVISORY IDALAS2023-2025-921⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

Red Hat

CREATED

1 year ago

UPDATED

8 months ago

ADVISORY IDCVE-2024-43398⁠

EXPLOITABILITY SCORE

2.2

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-776⁠

CVSS SCORE

5.9medium

Rocky

CREATED

1 year ago

UPDATED

8 months ago

ADVISORY IDRLSA-2024:6670⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Alow

Rocky

CREATED

1 year ago

UPDATED

8 months ago

ADVISORY IDRLSA-2024:6784⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Alow

Rocky

CREATED

1 year ago

UPDATED

8 months ago

ADVISORY IDRLSA-2024:6785⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Alow

Rocky

CREATED

3 months ago

UPDATED

3 months ago

ADVISORY IDRLSA-2025:4063⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Alow

Rocky

CREATED

3 months ago

UPDATED

3 months ago

ADVISORY IDRLSA-2025:4488⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Alow

Oracle

CREATED

1 year ago

UPDATED

1 year ago

ADVISORY IDELSA-2024-6670⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

Oracle

CREATED

1 year ago

UPDATED

1 year ago

ADVISORY IDELSA-2024-6784⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

Oracle

CREATED

1 year ago

UPDATED

1 year ago

ADVISORY IDELSA-2024-6785⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

Oracle

CREATED

7 months ago

UPDATED

7 months ago

ADVISORY IDELSA-2025-4063⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

Oracle

CREATED

6 months ago

UPDATED

6 months ago

ADVISORY IDELSA-2025-4488⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

Chainguard

CREATED

1 year ago

UPDATED

1 year ago

ADVISORY ID

CGA-24v2-cqfr-9j2w

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

10 months ago

UPDATED

10 months ago

ADVISORY ID

CGA-7j5v-cxjm-f8rv

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

1 year ago

UPDATED

1 year ago

ADVISORY ID

CGA-7wc8-57gp-j287

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

10 months ago

UPDATED

10 months ago

ADVISORY ID

CGA-cwr7-5cpq-rfhg

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

1 year ago

UPDATED

1 year ago

ADVISORY ID

CGA-f9jf-pqxp-9c4f

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

1 year ago

UPDATED

1 year ago

ADVISORY ID

CGA-fwcc-7mjx-4c8j

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

1 year ago

UPDATED

1 year ago

ADVISORY ID

CGA-g699-9xhv-rx9c

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

10 months ago

UPDATED

10 months ago

ADVISORY ID

CGA-gcr3-mcv7-cgqv

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

10 months ago

UPDATED

10 months ago

ADVISORY ID

CGA-gpq2-hwhm-78qh

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

1 year ago

UPDATED

1 year ago

ADVISORY ID

CGA-m429-99wf-94v2

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

10 months ago

UPDATED

10 months ago

ADVISORY ID

CGA-mq3p-6x8v-q85m

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

1 year ago

UPDATED

1 year ago

ADVISORY ID

CGA-pg34-92v8-xj59

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

10 months ago

UPDATED

10 months ago

ADVISORY ID

CGA-pq65-7wj8-j735

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

10 months ago

UPDATED

10 months ago

ADVISORY ID

CGA-pq96-mwgx-j88q

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

10 months ago

UPDATED

10 months ago

ADVISORY ID

CGA-q5g9-46cr-4hxw

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

10 months ago

UPDATED

10 months ago

ADVISORY ID

CGA-qgqg-33rj-jw2h

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

10 months ago

UPDATED

10 months ago

ADVISORY ID

CGA-r3j8-hqmr-mpw7

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

10 months ago

UPDATED

10 months ago

ADVISORY ID

CGA-rm82-9q24-hq2q

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

4 months ago

UPDATED

4 months ago

ADVISORY ID

CGA-xg93-wp99-5mr2

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

9 months ago

UPDATED

9 months ago

ADVISORY ID

MINI-h522-p92r-4mxc

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY