Bug 2302268 (CVE-2024-41123)

Summary: CVE-2024-41123 rexml: rubygem-rexml: DoS when parsing an XML having many specific characters such as whitespace character, >] and ]>
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abishop, akostadi, amasferr, bbuckingham, caswilli, cbartlet, chazlett, dhalasz, dmayorov, eglynn, ehelms, ggainey, jjoyce, jlledo, jschluet, juwatts, kaycoth, lhh, lsvaty, mburns, mgarciac, mhulan, mkudlej, mmakovy, nmoumoul, nsoni, pcreech, pgrist, rchan, rhos-maint, slinaber, tjochec, tvignaud, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2302829, 2302835, 2302779, 2302780, 2302781, 2302782, 2302783, 2302784, 2302785, 2302786, 2302787, 2302788, 2302789, 2302790, 2302791, 2302792, 2302793, 2302794, 2302795, 2302796, 2302797, 2302798, 2302799, 2302800, 2302801, 2302802, 2302803, 2302804, 2302805, 2302806, 2302807, 2302808, 2302809, 2302810, 2302811, 2302812, 2302813, 2302814, 2302815, 2302816, 2302817, 2302818, 2302819, 2302820, 2302821, 2302822, 2302823, 2302824, 2302825, 2302826, 2302827, 2302828, 2302830, 2302831, 2302832, 2302833, 2302834    
Bug Blocks:    

Description OSIDB Bzimport 2024-08-01 15:30:53 UTC
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.

Comment 3 errata-xmlrpc 2024-09-16 01:28:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6670 https://access.redhat.com/errata/RHSA-2024:6670

Comment 4 errata-xmlrpc 2024-09-16 18:05:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:6702 https://access.redhat.com/errata/RHSA-2024:6702

Comment 5 errata-xmlrpc 2024-09-16 18:06:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:6703 https://access.redhat.com/errata/RHSA-2024:6703

Comment 6 errata-xmlrpc 2024-09-18 18:54:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6784 https://access.redhat.com/errata/RHSA-2024:6784

Comment 7 errata-xmlrpc 2024-09-18 19:08:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:6785 https://access.redhat.com/errata/RHSA-2024:6785