Bug 2302272 (CVE-2024-41946) - CVE-2024-41946 rexml: DoS vulnerability in REXML
Summary: CVE-2024-41946 rexml: DoS vulnerability in REXML
Keywords:
Status: NEW
Alias: CVE-2024-41946
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2302283 2302284 2302285 2302286 2302287 2302288 2302289 2302290 2302291 2302292 2302293 2302294 2302295 2302296 2302297 2302298 2302299 2302300 2302301 2302302 2302303 2302304 2302305 2302306 2302307 2302308 2302309 2302310 2302311 2302312 2302313 2302314 2302315 2302316 2302317 2302318 2302319 2302320 2302321 2302322 2302323 2302324 2302325 2302326 2302327 2302328 2302329 2302330 2302331 2302332 2302333 2302334 2302335 2302336 2302337 2302338 2302339 2302340
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-08-01 15:31 UTC by OSIDB Bzimport
Modified: 2024-10-14 11:26 UTC (History)
25 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the REXML package. Reading an XML file that contains many entity expansions may lead to a denial of service due to resource starvation. An attacker can use this flaw to trick a user into processing an untrusted XML file.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:6670 0 None None None 2024-09-16 01:28:40 UTC
Red Hat Product Errata RHSA-2024:6702 0 None None None 2024-09-16 18:05:20 UTC
Red Hat Product Errata RHSA-2024:6703 0 None None None 2024-09-16 18:06:16 UTC
Red Hat Product Errata RHSA-2024:6784 0 None None None 2024-09-18 18:54:27 UTC
Red Hat Product Errata RHSA-2024:6785 0 None None None 2024-09-18 19:08:37 UTC

Description OSIDB Bzimport 2024-08-01 15:31:08 UTC
REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.

Comment 1 errata-xmlrpc 2024-09-16 01:28:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6670 https://access.redhat.com/errata/RHSA-2024:6670

Comment 2 errata-xmlrpc 2024-09-16 18:05:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:6702 https://access.redhat.com/errata/RHSA-2024:6702

Comment 3 errata-xmlrpc 2024-09-16 18:06:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:6703 https://access.redhat.com/errata/RHSA-2024:6703

Comment 4 errata-xmlrpc 2024-09-18 18:54:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6784 https://access.redhat.com/errata/RHSA-2024:6784

Comment 5 errata-xmlrpc 2024-09-18 19:08:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:6785 https://access.redhat.com/errata/RHSA-2024:6785


Note You need to log in before you can comment on or make changes to this bug.