Bug 2298243 (CVE-2024-39908)

Summary: CVE-2024-39908 rexml: DoS vulnerability in REXML
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abishop, akostadi, amasferr, anthomas, bbuckingham, caswilli, cbartlet, chazlett, crizzo, dmayorov, eglynn, ehelms, ggainey, jjoyce, jlledo, jschluet, juwatts, jvasik, kaycoth, lhh, lsvaty, mburns, mgarciac, mhulan, mjaros, mkudlej, mmakovy, nmoumoul, osousa, pcreech, pgrist, rblanco, rchan, rhos-maint, slinaber, smallamp, tjochec, tvignaud, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An uncontrolled resource consumption vulnerability was found in REXML. When parsing an untrusted XML with many specific characters such as `<`, `0`, and `%>`, it can lead to a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2311467    
Bug Blocks:    

Description OSIDB Bzimport 2024-07-16 18:32:39 UTC 
 REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings.
Comment 1 errata-xmlrpc 2024-09-18 18:54:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6784 https://access.redhat.com/errata/RHSA-2024:6784
Comment 2 errata-xmlrpc 2024-09-18 19:08:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:6785 https://access.redhat.com/errata/RHSA-2024:6785
Comment 5 errata-xmlrpc 2025-04-22 02:17:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:4063 https://access.redhat.com/errata/RHSA-2025:4063
Comment 6 errata-xmlrpc 2025-05-06 02:27:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:4488 https://access.redhat.com/errata/RHSA-2025:4488