CVE-2024-43398

EUVD-2024-2666

22.08.2024, 15:15

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability.

XML Entity Expansion

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_M	CNA	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 78%

Affected Products (NVD)

Vendor	Product	Version
ruby-lang	rexml	𝑥 < 3.3.6
netapp	bootstrap_os	-

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

ruby2.7

bookworm	no-dsa
bullseye	vulnerable
bullseye (security)	2.7.4-1+deb11u5 fixed

ruby3.1

bookworm	vulnerable
bookworm (security)	vulnerable

ruby3.3

bookworm	no-dsa
forky	3.3.8-2 fixed
sid	3.3.8-2 fixed
trixie	3.3.8-2 fixed

Common Weakness Enumeration

CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

References

https://github.com/ruby/rexml/releases/tag/v3.3.6

https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3

https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html

https://security.netapp.com/advisory/ntap-20250103-0006/