GHSA SYNC: 1 brand new advisory

rubysec · May 16, 2024 · 343e45a · 343e45a
1 parent 33eda20
commit 343e45a
Showing 1 changed file with 38 additions and 0 deletions.
diff --git a/gems/rexml/CVE-2024-35176.yml b/gems/rexml/CVE-2024-35176.yml
@@ -0,0 +1,38 @@
+---
+gem: rexml
+cve: 2024-35176
+ghsa: vg3r-rm7w-2xgh
+url: https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
+title: REXML contains a denial of service vulnerability
+date: 2024-05-16
+description: |
+  ### Impact
+
+  The REXML gem before 3.2.6 has a DoS vulnerability when it
+  parses an XML that has many `<`s in an attribute value.
+
+  If you need to parse untrusted XMLs, you many be impacted
+  to this vulnerability.
+
+  ### Patches
+
+  The REXML gem 3.2.7 or later include the patch to fix this
+  vulnerability.
+
+  ### Workarounds
+
+  Don't parse untrusted XMLs.
+
+  ### References
+
+  * https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/
+cvss_v3: 5.3
+patched_versions:
+  - ">= 3.2.7"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-35176
+    - https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176
+    - https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
+    - https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb
+    - https://github.com/advisories/GHSA-vg3r-rm7w-2xgh