Bug 1228072 (CVE-2024-39908)

Summary: VUL-0: CVE-2024-39908: ruby3.2, rubygem-rexml: ReDoS when parsing an XML that has many specific characters
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Marcus Rückert <mrueckert>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: camila.matos
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/414312/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-39908:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-07-17 13:59:29 UTC 
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39908
https://www.cve.org/CVERecord?id=CVE-2024-39908
https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8
https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908