CVE-2024-43398

EUVD-2024-2666
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability.
XML Entity Expansion
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 64%
Affected Products (NVD)
VendorProductVersion
ruby-langrexml
𝑥
< 3.3.6
netappbootstrap_os
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ruby2.7
bookworm
no-dsa
bullseye
vulnerable
bullseye (security)
2.7.4-1+deb11u5
fixed
ruby3.1
bookworm
vulnerable
bookworm (security)
vulnerable
ruby3.3
bookworm
no-dsa
forky
3.3.8-2
fixed
sid
3.3.8-2
fixed
trixie
3.3.8-2
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libruby2_5-2_5
suse enterprise desktop 15 SP5
2.5.9-150000.4.32.1
fixed
suse enterprise desktop 15 SP6
2.5.9-150000.4.32.1
fixed
suse enterprise desktop 15 SP7
2.5.9-150700.22.16
fixed
suse enterprise sap 15 SP2
2.5.9-150000.4.32.1
fixed
suse enterprise sap 15 SP3
2.5.9-150000.4.32.1
fixed
suse enterprise sap 15 SP4
2.5.9-150000.4.32.1
fixed
suse enterprise sap 15 SP5
2.5.9-150000.4.32.1
fixed
suse enterprise sap 15 SP6
2.5.9-150000.4.32.1
fixed
suse enterprise sap 15 SP7
2.5.9-150700.22.16
fixed
suse enterprise server 15 SP2
2.5.9-150000.4.32.1
fixed
suse enterprise server 15 SP3
2.5.9-150000.4.32.1
fixed
suse enterprise server 15 SP4
2.5.9-150000.4.32.1
fixed
suse enterprise server 15 SP5
2.5.9-150000.4.32.1
fixed
suse enterprise server 15 SP6
2.5.9-150000.4.32.1
fixed
suse enterprise server 15 SP7
2.5.9-150700.22.16
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
pcs
RHEL 8
0:0.10.18-2.el8_10.2
fixed
RHEL 8.6 E4S
0:0.10.12-6.el8_6.6
fixed
RHEL 8.6 TUS
0:0.10.12-6.el8_6.6
fixed
RHEL 8.8 AUS
0:0.10.15-4.el8_8.3
fixed
RHEL 8.8 E4S
0:0.10.15-4.el8_8.3
fixed
RHEL 8.8 EUS
0:0.10.15-4.el8_8.3
fixed
RHEL 8.8 TUS
0:0.10.15-4.el8_8.3
fixed
pcs-snmp
RHEL 8
0:0.10.18-2.el8_10.2
fixed
RHEL 8.6 E4S
0:0.10.12-6.el8_6.6
fixed
RHEL 8.6 TUS
0:0.10.12-6.el8_6.6
fixed
RHEL 8.8 AUS
0:0.10.15-4.el8_8.3
fixed
RHEL 8.8 E4S
0:0.10.15-4.el8_8.3
fixed
RHEL 8.8 EUS
0:0.10.15-4.el8_8.3
fixed
RHEL 8.8 TUS
0:0.10.15-4.el8_8.3
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
ruby3.2
Amazon Linux 2023
0:3.2.7-183.amzn2023.0.1
fixed
ruby3.2-bundled-gems
Amazon Linux 2023
0:3.2.7-183.amzn2023.0.1
fixed
ruby3.2-bundled-gems-debuginfo
Amazon Linux 2023
0:3.2.7-183.amzn2023.0.1
fixed
ruby3.2-debuginfo
Amazon Linux 2023
0:3.2.7-183.amzn2023.0.1
fixed
ruby3.2-debugsource
Amazon Linux 2023
0:3.2.7-183.amzn2023.0.1
fixed
ruby3.2-default-gems
Amazon Linux 2023
0:3.2.7-183.amzn2023.0.1
fixed
ruby3.2-devel
Amazon Linux 2023
0:3.2.7-183.amzn2023.0.1
fixed
ruby3.2-doc
Amazon Linux 2023
0:3.2.7-183.amzn2023.0.1
fixed
ruby3.2-libs
Amazon Linux 2023
0:3.2.7-183.amzn2023.0.1
fixed
ruby3.2-libs-debuginfo
Amazon Linux 2023
0:3.2.7-183.amzn2023.0.1
fixed
ruby3.2-rubygem-bigdecimal
Amazon Linux 2023
0:3.1.3-183.amzn2023.0.1
fixed
ruby3.2-rubygem-bigdecimal-debuginfo
Amazon Linux 2023
0:3.1.3-183.amzn2023.0.1
fixed
ruby3.2-rubygem-bundler
Amazon Linux 2023
0:2.4.19-183.amzn2023.0.1
fixed
ruby3.2-rubygem-io-console
Amazon Linux 2023
0:0.6.0-183.amzn2023.0.1
fixed
ruby3.2-rubygem-io-console-debuginfo
Amazon Linux 2023
0:0.6.0-183.amzn2023.0.1
fixed
ruby3.2-rubygem-irb
Amazon Linux 2023
0:1.6.2-183.amzn2023.0.1
fixed
ruby3.2-rubygem-json
Amazon Linux 2023
0:2.6.3-183.amzn2023.0.1
fixed
ruby3.2-rubygem-json-debuginfo
Amazon Linux 2023
0:2.6.3-183.amzn2023.0.1
fixed
ruby3.2-rubygem-minitest
Amazon Linux 2023
0:5.25.1-183.amzn2023.0.1
fixed
ruby3.2-rubygem-power_assert
Amazon Linux 2023
0:2.0.3-183.amzn2023.0.1
fixed
ruby3.2-rubygem-psych
Amazon Linux 2023
0:5.0.1-183.amzn2023.0.1
fixed
ruby3.2-rubygem-psych-debuginfo
Amazon Linux 2023
0:5.0.1-183.amzn2023.0.1
fixed
ruby3.2-rubygem-rake
Amazon Linux 2023
0:13.0.6-183.amzn2023.0.1
fixed
ruby3.2-rubygem-rbs
Amazon Linux 2023
0:2.8.2-183.amzn2023.0.1
fixed
ruby3.2-rubygem-rbs-debuginfo
Amazon Linux 2023
0:2.8.2-183.amzn2023.0.1
fixed
ruby3.2-rubygem-rdoc
Amazon Linux 2023
0:6.5.1.1-183.amzn2023.0.1
fixed
ruby3.2-rubygem-rexml
Amazon Linux 2023
0:3.3.9-183.amzn2023.0.1
fixed
ruby3.2-rubygem-rss
Amazon Linux 2023
0:0.3.1-183.amzn2023.0.1
fixed
ruby3.2-rubygem-test-unit
Amazon Linux 2023
0:3.5.7-183.amzn2023.0.1
fixed
ruby3.2-rubygem-typeprof
Amazon Linux 2023
0:0.21.3-183.amzn2023.0.1
fixed
ruby3.2-rubygems
Amazon Linux 2023
0:3.4.19-183.amzn2023.0.1
fixed
ruby3.2-rubygems-devel
Amazon Linux 2023
0:3.4.19-183.amzn2023.0.1
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
ruby
Azure Linux 3.0
0:3.3.5-1.azl3
fixed
CBL-Mariner 2.0
0:3.1.7-1.cm2
fixed
rubygem-rexml
Azure Linux 3.0
0:3.3.9-1.azl3
fixed
CBL-Mariner 2.0
0:3.2.9-1.cm2
fixed