7.5

CVE-2024-49761

REXML ReDoS vulnerability

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Ruby-langRexml SwPlatformruby Version < 3.3.9
   Ruby-langRuby Version < 3.2.0
NetappOntap Tools Version10 SwPlatformvmware_vsphere
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.43% 0.695
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com 6.6 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
Patch
https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
Third Party Advisory
https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761
Vendor Advisory
https://security.netapp.com/advisory/ntap-20241227-0004/
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html