REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
History

Sat, 14 Dec 2024 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_tus:8.4
cpe:/a:redhat:rhel_tus:8.6
Vendors & Products Redhat rhel Tus

Fri, 13 Dec 2024 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
CPEs cpe:/a:redhat:rhel_aus:8.2
Vendors & Products Redhat rhel Aus

Thu, 12 Dec 2024 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_e4s:9.0

Thu, 12 Dec 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_eus:8.8
cpe:/a:redhat:rhel_eus:9.2
cpe:/a:redhat:rhel_eus:9.4
Vendors & Products Redhat rhel Eus

Sat, 07 Dec 2024 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:9

Thu, 05 Dec 2024 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8
Vendors & Products Redhat enterprise Linux

Wed, 04 Dec 2024 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat rhel E4s
CPEs cpe:/a:redhat:rhel_e4s:9.0::highavailability
Vendors & Products Redhat
Redhat rhel E4s

Fri, 22 Nov 2024 15:45:00 +0000

Type Values Removed Values Added
Metrics threat_severity

Moderate

threat_severity

Important


Tue, 05 Nov 2024 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Ruby-lang
Ruby-lang rexml
CPEs cpe:2.3:a:ruby-lang:rexml:*:*:*:*:*:ruby:*:*
Vendors & Products Ruby-lang
Ruby-lang rexml
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Tue, 29 Oct 2024 01:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Mon, 28 Oct 2024 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Ruby
Ruby rexml
CPEs cpe:2.3:a:ruby:rexml:*:*:*:*:*:*:*:*
Vendors & Products Ruby
Ruby rexml
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 28 Oct 2024 14:30:00 +0000

Type Values Removed Values Added
Description REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
Title REXML ReDoS vulnerability
Weaknesses CWE-1333
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-10-28T14:10:23.212Z

Updated: 2024-10-28T14:58:24.116Z

Reserved: 2024-10-18T13:43:23.455Z

Link: CVE-2024-49761

cve-icon Vulnrichment

Updated: 2024-10-28T14:58:16.358Z

cve-icon NVD

Status : Analyzed

Published: 2024-10-28T15:15:05.157

Modified: 2024-11-05T16:41:46.660

Link: CVE-2024-49761

cve-icon Redhat

Severity : Important

Publid Date: 2024-10-28T14:10:23Z

Links: CVE-2024-49761 - Bugzilla