CVE-2024-49761

EUVD-2024-2910
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 82%
Affected Products (NVD)
VendorProductVersion
ruby-langrexml
𝑥
< 3.3.9
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
rubyrexml
𝑥
< 3.3.9
ADP
Debian logo
Debian Releases
Debian Product
Codename
ruby2.7
bookworm
no-dsa
bullseye
vulnerable
bullseye (security)
2.7.4-1+deb11u5
fixed
ruby3.1
bookworm
vulnerable
bookworm (security)
vulnerable
ruby3.3
bookworm
no-dsa
forky
3.3.8-2
fixed
sid
3.3.8-2
fixed
trixie
3.3.8-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jruby
bionic
needs-triage
focal
needs-triage
jammy
dne
noble
needs-triage
oracular
ignored
plucky
needs-triage
questing
needs-triage
trusty
needs-triage
xenial
needs-triage
ruby2.3
focal
dne
jammy
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
xenial
Fixed 2.3.1-2~ubuntu16.04.16+esm10
released
ruby2.5
bionic
Fixed 2.5.1-1ubuntu1.16+esm4
released
focal
dne
jammy
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
ruby2.7
focal
Fixed 2.7.0-5ubuntu1.15
released
jammy
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
ruby3.0
focal
dne
jammy
Fixed 3.0.2-7ubuntu2.8
released
noble
dne
oracular
dne
plucky
dne
questing
dne
ruby3.2
focal
dne
jammy
dne
noble
Fixed 3.2.3-1ubuntu0.24.04.3
released
oracular
dne
plucky
dne
questing
dne
ruby3.3
focal
dne
jammy
dne
noble
dne
oracular
Fixed 3.3.4-2ubuntu5.1
released
plucky
Fixed 3.3.4-2ubuntu6
released
questing
Fixed 3.3.4-2ubuntu6
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libruby2_5-2_5
suse enterprise desktop 15 SP6
2.5.9-150000.4.36.1
fixed
suse enterprise desktop 15 SP7
2.5.9-150700.24.6.1
fixed
suse enterprise sap 15 SP3
2.5.9-150000.4.36.1
fixed
suse enterprise sap 15 SP4
2.5.9-150000.4.36.1
fixed
suse enterprise sap 15 SP5
2.5.9-150000.4.36.1
fixed
suse enterprise sap 15 SP6
2.5.9-150000.4.36.1
fixed
suse enterprise sap 15 SP7
2.5.9-150700.24.6.1
fixed
suse enterprise server 15 SP2
2.5.9-150000.4.36.1
fixed
suse enterprise server 15 SP3
2.5.9-150000.4.36.1
fixed
suse enterprise server 15 SP4
2.5.9-150000.4.36.1
fixed
suse enterprise server 15 SP5
2.5.9-150000.4.36.1
fixed
suse enterprise server 15 SP6
2.5.9-150000.4.36.1
fixed
suse enterprise server 15 SP7
2.5.9-150700.24.6.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
pcs
RHEL 8
0:0.10.18-2.el8_10.6
fixed
RHEL 8.6 E4S
0:0.10.12-6.el8_6.9
fixed
RHEL 8.6 TUS
0:0.10.12-6.el8_6.9
fixed
RHEL 8.8 E4S
0:0.10.15-4.el8_8.8
fixed
RHEL 8.8 TUS
0:0.10.15-4.el8_8.8
fixed
pcs-snmp
RHEL 8
0:0.10.18-2.el8_10.6
fixed
RHEL 8.6 E4S
0:0.10.12-6.el8_6.9
fixed
RHEL 8.6 TUS
0:0.10.12-6.el8_6.9
fixed
RHEL 8.8 E4S
0:0.10.15-4.el8_8.8
fixed
RHEL 8.8 TUS
0:0.10.15-4.el8_8.8
fixed
ruby
RHEL 9
0:3.0.7-163.el9_5
fixed
ruby-default-gems
RHEL 9
0:3.0.7-163.el9_5
fixed
ruby-devel
RHEL 9
0:3.0.7-163.el9_5
fixed
ruby-doc
RHEL 9
0:3.0.7-163.el9_5
fixed
ruby-libs
RHEL 9
0:3.0.7-163.el9_5
fixed
rubygem-bigdecimal
RHEL 9
0:3.0.0-163.el9_5
fixed
rubygem-bundler
RHEL 9
0:2.2.33-163.el9_5
fixed
rubygem-io-console
RHEL 9
0:0.5.7-163.el9_5
fixed
rubygem-irb
RHEL 9
0:1.3.5-163.el9_5
fixed
rubygem-json
RHEL 9
0:2.5.1-163.el9_5
fixed
rubygem-minitest
RHEL 9
0:5.14.2-163.el9_5
fixed
rubygem-power
RHEL 9
0:1.2.1-163.el9_5
fixed
rubygem-psych
RHEL 9
0:3.3.2-163.el9_5
fixed
rubygem-rake
RHEL 9
0:13.0.3-163.el9_5
fixed
rubygem-rbs
RHEL 9
0:1.4.0-163.el9_5
fixed
rubygem-rdoc
RHEL 9
0:6.3.4.1-163.el9_5
fixed
rubygem-rexml
RHEL 9
0:3.2.5-163.el9_5
fixed
rubygem-rss
RHEL 9
0:0.2.9-163.el9_5
fixed
rubygem-test-unit
RHEL 9
0:3.3.7-163.el9_5
fixed
rubygem-typeprof
RHEL 9
0:0.15.2-163.el9_5
fixed
rubygems
RHEL 9
0:3.2.33-163.el9_5
fixed
rubygems-devel
RHEL 9
0:3.2.33-163.el9_5
fixed
Common Weakness Enumeration
References
https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761
https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html
https://security.netapp.com/advisory/ntap-20241227-0004/