CVE-2024-43398

ADVISORY - github

Summary

Impact

The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes.

If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected.

Patches

The REXML gem 3.3.6 or later include the patch to fix the vulnerability.

Workarounds

Don't parse untrusted XMLs with tree parser API.

References

https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/ : An announce on www.ruby-lang.org

EPSS Score⁠: 0.02366 (0.844)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-776⁠

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

ADVISORY - github

CWE-776⁠

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

ADVISORY - gitlab

CWE-1035⁠

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-776⁠

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CWE-937⁠

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

ADVISORY - redhat

CWE-776⁠

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.