PT-2024-7270 · Ruby+10 · Rexml+10
Mprogrammer
·
Published
2023-06-27
·
Updated
2025-12-10
·
CVE-2024-35176
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions:
REXML versions prior to 3.2.6
REXML versions prior to 3.3.1
REXML versions prior to 3.3.2
REXML versions prior to 3.3.3
Description:
The REXML gem has a denial of service vulnerability when it parses an XML that has many
<s in an attribute value. Those who need to parse untrusted XMLs may be impacted by this vulnerability.Recommendations:
For REXML versions prior to 3.2.6, update to REXML gem 3.2.7 or later.
For REXML versions prior to 3.3.1, update to REXML gem 3.3.2 or later.
For REXML versions prior to 3.3.2, update to REXML gem 3.3.3 or later.
As a temporary workaround, do not parse untrusted XMLs.
Exploit
Fix
DoS
Allocation of Resources Without Limits
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Almalinux
Astra Linux
Centos
Debian
Linuxmint
Rexml
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu