CVE-2024-49761

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-49761

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-49761.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-49761

Aliases

GHSA-2rxp-v6pw-ch6m

Related

Published

2024-10-28T15:15:05Z

Modified

2024-11-12T00:47:25.292584Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

References

Affected packages

Alpine:v3.19 / ruby-rexml

Package

Name: ruby-rexml
Purl: pkg:apk/alpine/ruby-rexml?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.3.9-r0

Affected versions

3.*

3.2.5-r0

3.2.5-r1

3.2.5-r2

3.2.5-r3

3.2.6-r0

Alpine:v3.20 / ruby-rexml

Package

Name: ruby-rexml
Purl: pkg:apk/alpine/ruby-rexml?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.3.9-r0

Affected versions

3.*

3.2.5-r0

3.2.5-r1

3.2.5-r2

3.2.5-r3

3.2.6-r0

3.2.6-r1

3.2.9-r0

Debian:12 / ruby3.1

Package

Name: ruby3.1
Purl: pkg:deb/debian/ruby3.1?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.1.2-7

3.1.2-7+deb12u1

3.1.2-7+hurd.1

3.1.2-8

3.1.2-8.1~exp1

3.1.2-8.3

3.1.2-8.4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / ruby3.1

Package

Name: ruby3.1
Purl: pkg:deb/debian/ruby3.1?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.1.2-7

3.1.2-7+hurd.1

3.1.2-8

3.1.2-8.1~exp1

3.1.2-8.3

3.1.2-8.4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / ruby3.3

Package

Name: ruby3.3
Purl: pkg:deb/debian/ruby3.3?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.3.1-1

3.3.1-2

3.3.1-3

3.3.1-4

3.3.1-5

3.3.1-6

3.3.4-1

3.3.4-2

3.3.4-2+hurd.1

3.3.5-1

3.3.5-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/ruby/rexml

Affected ranges

Type: GIT
Repo: https://github.com/ruby/rexml
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ce59f2eb1aeb371fe1643414f06618dbe031979f

Affected versions

v3.*

v3.1.8

v3.1.9

v3.2.0

v3.2.1

v3.2.2

v3.2.3

v3.2.4

v3.2.5

v3.2.6

v3.2.7

v3.2.8

v3.2.9

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.3.7

v3.3.8