CVE-2024-39908

EUVD-2024-2251
 REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 91%
Affected Products (NVD)
VendorProductVersion
ruby-langrexml
𝑥
< 3.3.2
netappbootstrap_os
-
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
ruby-langrexml
𝑥
< 3.3.2
ADP
Debian logo
Debian Releases
Debian Product
Codename
ruby2.7
bookworm
no-dsa
bullseye
vulnerable
bullseye (security)
2.7.4-1+deb11u5
fixed
ruby3.1
bookworm
vulnerable
bookworm (security)
vulnerable
ruby3.3
bookworm
no-dsa
forky
3.3.8-2
fixed
sid
3.3.8-2
fixed
trixie
3.3.8-2
fixed
Common Weakness Enumeration
References
https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8
https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908
https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8
https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html
https://security.netapp.com/advisory/ntap-20250117-0008/
https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908