Bug 2307297 (CVE-2024-43398) - CVE-2024-43398 rexml: DoS vulnerability in REXML
Summary: CVE-2024-43398 rexml: DoS vulnerability in REXML
Keywords:
Status: NEW
Alias: CVE-2024-43398
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2307671 2307673 2307674 2307672 2307675 2307676 2307677 2307678 2307679 2307680 2307681
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-08-22 15:21 UTC by OSIDB Bzimport
Modified: 2024-09-18 19:08 UTC (History)
33 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in REXML RubyGems. This package is vulnerable to denial of service (DoS) when parsing a deep XML structure with the same local name attribute. This vulnerability only affects tree parser API like REXML::Document.new, other parser APIs such as stream parser API and SAX2 parser API are not affected.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:6670 0 None None None 2024-09-16 01:28:42 UTC
Red Hat Product Errata RHSA-2024:6702 0 None None None 2024-09-16 18:05:21 UTC
Red Hat Product Errata RHSA-2024:6703 0 None None None 2024-09-16 18:06:16 UTC
Red Hat Product Errata RHSA-2024:6784 0 None None None 2024-09-18 18:54:32 UTC
Red Hat Product Errata RHSA-2024:6785 0 None None None 2024-09-18 19:08:40 UTC

Description OSIDB Bzimport 2024-08-22 15:21:44 UTC
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability.

Comment 3 errata-xmlrpc 2024-09-16 01:28:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6670 https://access.redhat.com/errata/RHSA-2024:6670

Comment 4 errata-xmlrpc 2024-09-16 18:05:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:6702 https://access.redhat.com/errata/RHSA-2024:6702

Comment 5 errata-xmlrpc 2024-09-16 18:06:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:6703 https://access.redhat.com/errata/RHSA-2024:6703

Comment 6 errata-xmlrpc 2024-09-18 18:54:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6784 https://access.redhat.com/errata/RHSA-2024:6784

Comment 7 errata-xmlrpc 2024-09-18 19:08:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:6785 https://access.redhat.com/errata/RHSA-2024:6785


Note You need to log in before you can comment on or make changes to this bug.