CVE-2024-49761

ADVISORY - github

Summary

Impact

The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;).

This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.

Patches

The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

Workarounds

Use Ruby 3.2 or later instead of Ruby 3.1.

References

https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org

EPSS Score⁠: 0.01275 (0.789)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-1333⁠

Inefficient Regular Expression Complexity

ADVISORY - github

CWE-1333⁠

Inefficient Regular Expression Complexity

ADVISORY - gitlab

CWE-1035⁠

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-1333⁠

Inefficient Regular Expression Complexity

CWE-937⁠

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

ADVISORY - redhat

CWE-1333⁠

Inefficient Regular Expression Complexity

Impacted images

Advisories

NIST

CREATED

1 year ago

UPDATED

6 days ago

ADVISORY IDCVE-2024-49761⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-1333⁠

CVSS SCORE

6.6medium

GitHub

CREATED

1 year ago

UPDATED

6 days ago

ADVISORY IDGHSA-2rxp-v6pw-ch6m⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-1333⁠

CVSS SCORE

6.6medium

Alpine

CREATED

1 year ago

UPDATED

3 days ago

ADVISORY IDCVE-2024-49761⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Debian

CREATED

1 year ago

UPDATED

1 month ago

ADVISORY IDCVE-2024-49761⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Ubuntu

CREATED

1 year ago

UPDATED

4 months ago

ADVISORY IDCVE-2024-49761⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

7.5medium

GitLab

CREATED

1 year ago

UPDATED

11 months ago

ADVISORY ID

CVE-2024-49761

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-1035⁠CWE-1333⁠CWE-937⁠

CVSS SCORE

7.5high

Alma

CREATED

11 months ago

UPDATED

11 months ago

ADVISORY IDALSA-2024:10834⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Alma

CREATED

11 months ago

UPDATED

11 months ago

ADVISORY IDALSA-2024:10850⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Alma

CREATED

11 months ago

UPDATED

11 months ago

ADVISORY IDALSA-2024:10858⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Alma

CREATED

11 months ago

UPDATED

11 months ago

ADVISORY IDALSA-2024:10860⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Red Hat

CREATED

1 year ago

UPDATED

8 months ago

ADVISORY IDCVE-2024-49761⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-1333⁠

CVSS SCORE

7.5high

Rocky

CREATED

11 months ago

UPDATED

8 months ago

ADVISORY IDRLSA-2024:10834⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Rocky

CREATED

11 months ago

UPDATED

8 months ago

ADVISORY IDRLSA-2024:10850⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Rocky

CREATED

8 months ago

UPDATED

8 months ago

ADVISORY IDRLSA-2024:10858⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Rocky

CREATED

11 months ago

UPDATED

8 months ago

ADVISORY IDRLSA-2024:10860⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Rocky

CREATED

3 months ago

UPDATED

3 months ago

ADVISORY IDRLSA-2025:11047⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Alow

Oracle

CREATED

11 months ago

UPDATED

11 months ago

ADVISORY IDELSA-2024-10834⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Oracle

CREATED

11 months ago

UPDATED

11 months ago

ADVISORY IDELSA-2024-10850⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Oracle

CREATED

11 months ago

UPDATED

11 months ago

ADVISORY IDELSA-2024-10858⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Oracle

CREATED

11 months ago

UPDATED

11 months ago

ADVISORY IDELSA-2024-10860⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Oracle

CREATED

4 months ago

UPDATED

4 months ago

ADVISORY IDELSA-2025-11047⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

Chainguard

CREATED

10 months ago

UPDATED

10 months ago

ADVISORY ID

CGA-2gpc-f6rv-mwcf

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

1 year ago

UPDATED

1 year ago

ADVISORY ID

CGA-35f5-2796-7j5c

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

10 months ago

UPDATED

10 months ago

ADVISORY ID

CGA-3cv5-7q2w-gm55

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

10 months ago

UPDATED

10 months ago

ADVISORY ID

CGA-53j8-54vg-rvfj

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

10 months ago

UPDATED

10 months ago

ADVISORY ID

CGA-56rj-cgc7-f869

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

10 months ago

UPDATED

10 months ago

ADVISORY ID

CGA-7vmr-cv3q-gpcj

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

1 year ago

UPDATED

1 year ago

ADVISORY ID

CGA-83cq-9pq8-xrvg

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

1 year ago

UPDATED

1 year ago

ADVISORY ID

CGA-cqv9-vmcm-5vx5

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

1 year ago

UPDATED

1 year ago

ADVISORY ID

CGA-cwr5-c6j9-f552

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

10 months ago

UPDATED

10 months ago

ADVISORY ID

CGA-gr5v-6xfr-x883

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

10 months ago

UPDATED

10 months ago

ADVISORY ID

CGA-jc66-vfr7-jhxc

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

1 year ago

UPDATED

1 year ago

ADVISORY ID

CGA-m4v5-7rr7-85jx

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

4 months ago

UPDATED

4 months ago

ADVISORY ID

CGA-m7cp-6wwh-r8f5

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

10 months ago

UPDATED

10 months ago

ADVISORY ID

CGA-qhfg-ph95-vwcr

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

10 months ago

UPDATED

10 months ago

ADVISORY ID

CGA-r55w-gc62-2gcj

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

10 months ago

UPDATED

10 months ago

ADVISORY ID

CGA-rvq3-hxxr-fjr7

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

10 months ago

UPDATED

10 months ago

ADVISORY ID

CGA-v6w6-p5jc-5r4x

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

1 year ago

UPDATED

1 year ago

ADVISORY ID

CGA-x2f6-rcg5-h8cx

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Photon

CREATED

11 months ago

UPDATED

2 months ago

ADVISORY ID

CVE-2024-49761

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

7.5high

minimos

CREATED

7 months ago

UPDATED

7 months ago

ADVISORY ID

MINI-ccr5-4hxf-p8rx

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

9 months ago

UPDATED

9 months ago

ADVISORY ID

MINI-mr5h-rc2g-8v42

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY