Bug 1947526 (CVE-2021-28965) - CVE-2021-28965 ruby: XML round-trip vulnerability in REXML
Summary: CVE-2021-28965 ruby: XML round-trip vulnerability in REXML
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-28965
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1950523 1950949 1947527 1947528 1947529 1947530 1950520 1950521 1950522 1950524 1950525 1950526 1950527 1954788 1955057 1956794 1957118
Blocks: 1947531
TreeView+ depends on / blocked
 
Reported: 2021-04-08 16:46 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-09-22 12:35 UTC (History)
25 users (show)

Fixed In Version: ruby 2.5.9, ruby 2.6.7, ruby 2.7.3, ruby 3.0.1, rubygem-rexml 3.2.5
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way the Ruby REXML library parsed XML documents. Parsing a specially crafted XML document using REXML and writing parsed data back to a new XML document results in creating a document with a different structure. This issue could affect the integrity of processed data in applications using REXML that parse XML documents, write data back to XML, and re-parse them again.
Clone Of:
Environment:
Last Closed: 2021-05-26 11:32:36 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2584 0 None None None 2021-06-29 16:01:52 UTC
Red Hat Product Errata RHSA-2021:2587 0 None None None 2021-06-29 16:03:43 UTC
Red Hat Product Errata RHSA-2021:2588 0 None None None 2021-06-29 16:04:51 UTC

Description Guilherme de Almeida Suckevicz 2021-04-08 16:46:35 UTC
When parsing and serializing a crafted XML document, REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one. The impact of this issue highly depends on context, but it may lead to a vulnerability in some programs that are using REXML.

Reference:
https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/

Comment 1 Guilherme de Almeida Suckevicz 2021-04-08 16:47:13 UTC
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1947527]


Created ruby:2.6/ruby tracking bugs for this issue:

Affects: fedora-33 [bug 1947528]


Created ruby:2.7/ruby tracking bugs for this issue:

Affects: fedora-33 [bug 1947529]


Created ruby:master/ruby tracking bugs for this issue:

Affects: fedora-all [bug 1947530]

Comment 2 Yadnyawalk Tale 2021-04-09 18:25:08 UTC
Red Hat CloudForms is in maintenance support 2 phase and we won't be fixing Low and Medium severity security issues. Please refer CloudForms updated Statement of Direction: https://access.redhat.com/articles/4639821

Comment 8 errata-xmlrpc 2021-05-25 13:14:19 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2104 https://access.redhat.com/errata/RHSA-2021:2104

Comment 9 Product Security DevOps Team 2021-05-26 11:32:36 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-28965

Comment 10 errata-xmlrpc 2021-06-03 11:25:16 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2229 https://access.redhat.com/errata/RHSA-2021:2229

Comment 11 errata-xmlrpc 2021-06-03 11:26:02 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2230 https://access.redhat.com/errata/RHSA-2021:2230

Comment 12 errata-xmlrpc 2021-06-29 16:01:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2584 https://access.redhat.com/errata/RHSA-2021:2584

Comment 13 errata-xmlrpc 2021-06-29 16:03:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2587 https://access.redhat.com/errata/RHSA-2021:2587

Comment 14 errata-xmlrpc 2021-06-29 16:04:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2588 https://access.redhat.com/errata/RHSA-2021:2588


Note You need to log in before you can comment on or make changes to this bug.