Bug 1228072 (CVE-2024-39908) - VUL-0: CVE-2024-39908: ruby3.2, rubygem-rexml: ReDoS when parsing an XML that has many specific characters
Summary: VUL-0: CVE-2024-39908: ruby3.2, rubygem-rexml: ReDoS when parsing an XML that...
Status: NEW
Alias: CVE-2024-39908
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Marcus Rückert
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/414312/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-39908:5.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-07-17 13:59 UTC by SMASH SMASH
Modified: 2024-07-17 14:17 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-07-17 13:59:29 UTC 
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39908
https://www.cve.org/CVERecord?id=CVE-2024-39908
https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8
https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908