Bug 2280894 (CVE-2024-35176) - CVE-2024-35176 REXML: DoS parsing an XML with many `<`s in an attribute value
Summary: CVE-2024-35176 REXML: DoS parsing an XML with many `<`s in an attribute value
Keywords:
Status: NEW
Alias: CVE-2024-35176
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2282493 2282494 2282495
Blocks: 2280888
TreeView+ depends on / blocked
 
Reported: 2024-05-16 20:52 UTC by Zack Miele
Modified: 2025-01-03 08:27 UTC (History)
5 users (show)

Fixed In Version: REXML 3.2.7
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:4684 0 None None None 2024-07-22 06:07:00 UTC
Red Hat Product Errata RHSA-2024:4499 0 None None None 2024-07-11 11:48:07 UTC
Red Hat Product Errata RHSA-2024:5338 0 None None None 2024-08-13 18:36:59 UTC

Description Zack Miele 2024-05-16 20:52:33 UTC 
REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs.

https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb
https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176
Comment 1 Zack Miele 2024-05-22 12:59:58 UTC 
Created ruby tracking bugs for this issue:

Affects: fedora-39 [bug 2282493]
Affects: fedora-40 [bug 2282494]
Comment 3 errata-xmlrpc 2024-07-11 11:48:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4499 https://access.redhat.com/errata/RHSA-2024:4499
Comment 4 errata-xmlrpc 2024-08-13 18:36:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5338 https://access.redhat.com/errata/RHSA-2024:5338
Note You need to log in before you can comment on or make changes to this bug.