PT-2024-8321 · Ruby+12 · Ruby+12
Manun
·
Published
2024-10-28
·
Updated
2026-03-26
·
CVE-2024-49761
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
REXML gem versions prior to 3.3.9
Ruby 3.1
Description
The issue is related to a ReDoS vulnerability in the REXML gem when parsing XML with many digits between
&# and x...; in a hex numeric character reference (&#x...;). This vulnerability can be exploited to perform a denial-of-service attack. The vulnerability does not affect Ruby 3.2 or later. Ruby 3.1 is the only maintained Ruby version that is affected.Recommendations
For REXML gem versions prior to 3.3.9, update to version 3.3.9 or later to fix the vulnerability.
For Ruby 3.1, consider using Ruby 3.2 or later instead, as Ruby 3.1 will reach end-of-life in 2025.
Exploit
Fix
DoS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Almalinux
Astra Linux
Centos
Debian
Linuxmint
Apple Macos
Rexml
Red Hat
Red Os
Rocky Linux
Ruby
Suse
Ubuntu