CVE-2024-35176 – REXML contains a denial of service vulnerability
https://notcve.org/view.php?id=CVE-2024-35176
REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs. • https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176 https://access.redhat.com/security/cve/CVE-2024-35176 https://bugzilla.redhat.com/show_bug.cgi?id=2280894 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2021-28965 – ruby: XML round-trip vulnerability in REXML
https://notcve.org/view.php?id=CVE-2021-28965
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing. El REXML gem versiones anteriores a 3.2.5 en Ruby versiones anteriores a 2.6.7, versiones 2.7.x anteriores a 2.7.3 y versiones 3.x anteriores a 3.0.1, no aborda apropiadamente los problemas round-trip de XML. Puede ser producido un documento incorrecto después de analizarlo y serializarlo A flaw was found in the way the Ruby REXML library parsed XML documents. Parsing a specially crafted XML document using REXML and writing parsed data back to a new XML document results in creating a document with a different structure. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTVFTLFVCSUE5CXHINJEUCKSHU4SWDMT https://security.netapp.com/advisory/ntap-20210528-0003 https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965 https://access.redhat.com/security/cve/CVE-2021-28965 https://bugzilla.redhat.com/show_bug.cgi?id=1947526 • CWE-611: Improper Restriction of XML External Entity Reference •