CVE-2024-43398

EUVD-2024-2666

22.08.2024, 15:15

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability.

XML Entity Expansion

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 78%

Affected Products (NVD)

Vendor	Product	Version
ruby-lang	rexml	𝑥 < 3.3.6
netapp	bootstrap_os	-

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

ruby2.7

bookworm	no-dsa
bullseye	vulnerable
bullseye (security)	2.7.4-1+deb11u5 fixed

ruby3.1

bookworm	vulnerable
bookworm (security)	vulnerable

ruby3.3

bookworm	no-dsa
forky	3.3.8-2 fixed
sid	3.3.8-2 fixed
trixie	3.3.8-2 fixed

openSUSE / SLES Releases

openSUSE Product

Release

libruby2_5-2_5

suse enterprise desktop 15 SP5	2.5.9-150000.4.32.1 fixed
suse enterprise desktop 15 SP6	2.5.9-150000.4.32.1 fixed
suse enterprise desktop 15 SP7	2.5.9-150700.22.16 fixed
suse enterprise sap 15 SP2	2.5.9-150000.4.32.1 fixed
suse enterprise sap 15 SP3	2.5.9-150000.4.32.1 fixed
suse enterprise sap 15 SP4	2.5.9-150000.4.32.1 fixed
suse enterprise sap 15 SP5	2.5.9-150000.4.32.1 fixed
suse enterprise sap 15 SP6	2.5.9-150000.4.32.1 fixed
suse enterprise sap 15 SP7	2.5.9-150700.22.16 fixed
suse enterprise server 15 SP2	2.5.9-150000.4.32.1 fixed
suse enterprise server 15 SP3	2.5.9-150000.4.32.1 fixed
suse enterprise server 15 SP4	2.5.9-150000.4.32.1 fixed
suse enterprise server 15 SP5	2.5.9-150000.4.32.1 fixed
suse enterprise server 15 SP6	2.5.9-150000.4.32.1 fixed
suse enterprise server 15 SP7	2.5.9-150700.22.16 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

pcs

RHEL 8	0:0.10.18-2.el8_10.2 fixed
RHEL 8.6 E4S	0:0.10.12-6.el8_6.6 fixed
RHEL 8.6 TUS	0:0.10.12-6.el8_6.6 fixed
RHEL 8.8 AUS	0:0.10.15-4.el8_8.3 fixed
RHEL 8.8 E4S	0:0.10.15-4.el8_8.3 fixed
RHEL 8.8 EUS	0:0.10.15-4.el8_8.3 fixed
RHEL 8.8 TUS	0:0.10.15-4.el8_8.3 fixed

pcs-snmp

RHEL 8	0:0.10.18-2.el8_10.2 fixed
RHEL 8.6 E4S	0:0.10.12-6.el8_6.6 fixed
RHEL 8.6 TUS	0:0.10.12-6.el8_6.6 fixed
RHEL 8.8 AUS	0:0.10.15-4.el8_8.3 fixed
RHEL 8.8 E4S	0:0.10.15-4.el8_8.3 fixed
RHEL 8.8 EUS	0:0.10.15-4.el8_8.3 fixed
RHEL 8.8 TUS	0:0.10.15-4.el8_8.3 fixed

Common Weakness Enumeration

CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

References

https://github.com/ruby/rexml/releases/tag/v3.3.6

https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3

https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html

https://security.netapp.com/advisory/ntap-20250103-0006/